Editor's note: Welcome to SmartAdvice, a weekly column by The Advisory Council (TAC), an advisory-service firm. The feature answers questions of core interest to you, ranging from leadership advice to enterprise strategies to how to deal with vendors. Submit questions directly to [email protected].
Question A: Should we use security appliances for firewalls, virtual-private-network (VPN) access, etc., or would we be better off deploying security software on general-purpose servers?
Our advice: Network security is serious business. The flood of viruses, spam, spyware, and other attacks on computer networks seems almost unstoppable. The recentCSI/FBI Computer Crime and Security Survey documents that security breaches were responsible for more than $140 million in business losses at the 494 companies surveyed in 2004. Clearly, having a good computer-security defense in place is of paramount importance for any business, yet achieving that goal can be challenging. In the past, unless you had a dedicated, highly trained, professional security staff and specialized systems, something would eventually slip past your defenses. Fortunately, the new breed of security appliances now available makes practicing good security hygiene a snap, but there are worrisome vulnerabilities in taking the appliance approach to solving corporate network-security problems.
If you've recently installed a new firewall, VPN, or wireless router, you've installed a security appliance. What makes these new products different is that they're specifically designed to be easy to install and maintainthey're usually configured and functional in less than an houras well as transparent, inexpensive, and upgradable. They're often sold as hardware with an annual software-update subscription. Don’t even think about cutting costs by forgoing the subscription. The crackers have more expertise and spare time than you do. Take advantage of your appliance vendor’s development team, and let them stay a step ahead. Of course, it goes without saying that you need to maintain the system with the latest patches and updates. The products marketed to midsized businesses can generally be configured to update automatically.
If they’re cheap and easy to use, what’s not to like about these systems? There are disadvantages to using security appliances as part of a corporate-security strategy. The obvious one is that the appliance itself becomes a known target for malicious activities. No matter how good the vendor’s development team is, all security systems have vulnerabilities. It's a matter of time before they become known to and exploited by the cracker community.
Another disadvantage is letting your network security rely on a single point of failure. If that system is compromised, the entire trusted network might be open to attack. We recommend continuing to maintain desktop- and server-based security software in addition to any network-appliance installation.
Security appliances make sense as part of an overall IT-infrastructure strategy as long as you remain vigilant. From a business perspective, security is just an expensive insurance policy, so a solution that takes care of the problem transparently and cost-effectively seems like a dream come true.—Beth Cohen
CSI/FBI Computer Crime and Security Survey
E-mail Security at the Gateway