FRAMINGHAM (09/22/2003) - Today's security appliances perform so many necessary security functions, they are becoming irresistible to network executives. IDC reports that worldwide unit shipments of security appliances increased 17 percent in the first quarter of this year over the first quarter of 2002.
True, network executives still prefer the traditional software-on-server approach for their conventional needs - like the main corporate firewall. But they like appliances for their simplicity and convenience, particularly when securing small or home offices.
"What appliances have going for them is you can drop them into a network, configure them and you're done," says Laura Koetzle, a senior analyst at Forrester Research. "We see this in organizations that have a lot of branch offices, with people in the field who are not technical but need to have some sort of security. You can configure the appliance in the head office and ship it out to the remote office."
Adds Charles Kolodgy, research director at IDC: "You don't have to worry about patch levels on the systems, you don't have to worry about interactions between software on another machine, and you don't have to worry about buying an operating system. You just have to receive the box from the vendor."
However, appliances have limitations. They aren't as reconfigurable as software-based security applications. "Appliances can really only do what they're designed to do," Koetzle says. "If your needs change radically it's tough to update appliances. If your needs are stable then appliances make total sense."
The earliest models mostly combined firewall and VPN functions, but today's crop integrates a wider range, such as intrusion detection, anti-virus protection and content filtering. "Pretty much everything that you can do with software you can do with an appliance," Kolodgy says.
As appliances' capabilities have expanded, network executives gained a path for adding new security protections to their networks. Mike Grimm, CIO at Seton, a Norristown, Pa., manufacturer of leather automotive products, uses Fortinet's Fortigate 200 and 400 appliances for VPN, packet-level virus-scanning and firewall functions. He soon will use the products' intrusion-detection capabilities as well, he says.
Seton is in the midst of an appliance rollout that began early this year, with plans to use appliances at 11 regional sites worldwide, Grimm says. All traffic going in or out of each facility passes through the devices. Grimm initially had concerns that the packet-level scanning might cause latency problems with data flow, but says his fears have proven unfounded.
By using the appliances' VPN functions to secure remote offices, Seton will become less reliant on its frame relay network. Over time, Grimm will phase out frame altogether for these offices, saving the company an expected US$12,000 a month in telecom costs, he says. The appliances cost about $50,000.
Plus, with multiple security functions executed by a single device, "less staff is needed to maintain security," Grimm says. On the down side, "if you have a hardware failure you're in trouble. We have had hardware appliances fail us in the past," he says. To counter that, he has placed a second, redundant appliance at each site.
As for intrusion-detection, time will tell how well the appliances perform. Grimm does note that through the first seven months of use, Seton hasn't suffered any major breaches such as viruses or hacker attacks.
Still, Seton also uses a few server-based security software applications, such as the virus scanning of its enterprise e-mail systems. Seton began using software from Trend Microsystems several years ago before the anti-virus appliances were available. Grimm feels that keeping it in place gives Seton multiple layers of protection for e-mail.
Raymond James Financial Inc., a financial services company in St. Petersburg, Fla., also is using a combination of appliances and traditional security software. The company uses Linux-based appliances called V6 from VPN Dynamics, equipped with Check Point software for firewall/VPN and intrusion detection and prevention.
Raymond James has installed appliances at 50 of its locations worldwide and ultimately plans to deploy the devices at 2,000 to 3,000 offices, says Scott Loach, senior information security engineer. The appliances cost about $500 each, including hardware and software, Loach says, and are proving to be a cost-effective way to secure its widespread network of home offices and independent financial advisors environments - smaller facilities that are not covered by the corporate firewall.
Simplicity, centralized management and monitoring were among the key selling points for the appliances, Loach says. While he isn't planning on tossing out the server-based Check Point Software Technologies Ltd. software now used as the main corporate firewall at headquarters, Loach finds appliances equal the reliability of server-based software.
Analysts agree: Be it start-ups, niche players or mainstream security vendors, this is a highly competitive market that only will become more so as appliances' popularity soars.
Violino is a freelance writer covering business and technology. He can be reached at bviolino@ optonline.net.