Buying security in a box

All-in-one security appliances that perform several security tasks — and in some cases general networking chores — are the wave of the future.

Hardware-based and hardened for security, these network devices first appeared in the firewall and virtual private networking market several years ago, touting ease of use and effective protection for small- to medium-size operations and large organizations' branch offices.

The early appliances focused on single functions such as firewall protection, but a new class of products is on the rise that combine several tasks, including firewall, VPN, intrusion prevention, encryption, content filtering and virus protection.

Proponents of multifunction appliances say the devices lower security costs while increasing manageability rather than having dozens of products performing different tasks scattered around the enterprise. Moreover, unlike security software running on traditional servers, purpose-built boxes are not susceptible to security vulnerabilities in the commercial operating systems that underlie the traditional solutions.

Longtime security vendor Symantec Corp. entered the fray last year with its Gateway Security appliance, while NetScreen Technologies Inc., an early entrant into the appliance space, acquired OneSecure Inc. to boost its intrusion-prevention capabilities. And newcomers such as NetContinuum Inc. emerged, offering an all-in-one Web security gateway touting security features as well as general networking capabilities such as load balancing and traffic management.

All of this will make for an interesting year as more companies are expected to jump on the appliance bandwagon.

"By late 2003 and into 2004, there will be an emergence of network security platform appliances that will host a variety of functions," said John Pescatore, a vice president at Gartner Inc.

But this doesn't mean there won't be room for single-function appliances.

Application security gateways are also on the rise. Such gateways handle protocols and traffic that traditional firewalls cannot, including voice over IP, Extensible Markup Language, Secure Sockets Layer (SSL) encryption and HTTP.

As cyberattacks increasingly target Web application vulnerabilities, organizations are looking for ways to protect their applications from unauthorized access and malicious intent.

Newcomer Stratum8 Networks Inc.'s APS 100 network appliance protects Web servers and databases by learning what constitutes acceptable application behavior, and then blocking everything else.

The APS 100 sits behind a network-based firewall and inspects traffic coming through Internet server port 80 — the port that servers use to connect to the Internet and that experiences the majority of cyberattacks, according to industry studies.

Tightening up security on port 80 will be a major theme among appliance vendors.

NetContinuum's network appliance falls into this category. The Santa Clara, Calif.-based company's NC-1000 Web Security Gateway combines several key security functions into a single box that can perform tasks at wire speed, meaning that it can process information just as fast as the network to which it's connected.

"NetContinuum is an emerging technology," said John Diaz, an analyst with the Computer Incident Advisory Capability (CIAC), which provides the Energy Department and National Nuclear Security Administration with incident response, reporting and tracking.

With many commercial Web sites processing 1,000 to 2,000 connections per second, it's impossible to keep up with the traffic using software-based filtering on a Unix server, he said.

The NC-1000, however, has the ability to handle 1 million simultaneous TCP sessions and 6,000 SSL transactions per second. CIAC will use NetContinuum's gateway to improve security response. Using the gateway's VPN capabilities, CIAC analysts can securely exchange system log files, which may contain information critical to stopping an attack, with DOE technology managers at remote locations.

***

Second line of defense

Each security appliance has its own way of performing tasks. Some are combined with traditional firewalls, while others sit behind firewalls and inspect traffic a firewall might not handle, such as application protocols and encrypted traffic. Here is an example of how one security gateway, NetContinuum Inc.'s NC-1000 Web Security Gateway, works: * Certain Web traffic such as HTTP, voice over IP, Secure Sockets Layer and Extensible Markup Language flows unchecked through the firewall and directly into an organization's network via the port 80 that servers use to connect to the Internet. * The security gateway appliance monitors port 80, blocking traffic that doesn't conform to security policies and passing on acceptable data to Web servers in the data center. The appliance can also decrypt or encrypt data.