IT appliances: Avoid overdoing it

Having too many single-purpose devices leads to complexity instead of simplicity

Set it and forget it isn’t only a mantra for infomercials for kitchen rotisseries. The idea has also spread through information technology departments. In this case, the amazing machines are appliances — stripped-down, single-purpose computers that can tackle tasks ranging from network management and security to information retrieval and business analysis. This year, the market for security appliances could top $4 billion. Despite their popularity, the set-it-and-forget- it dream isn’t always reality. Appliances are designed to simplify the IT manager’s life, but each new device introduced into a data center can add managerial complexity to the work of an overburdened staff. The strategy of adding to the hardware headcount rather than reducing it also runs counter to another popular trend in government IT departments — packing multiple virtual servers into shared physical computers to reduce hardware maintenance and power costs. All of this causes some observers to warn that unless appliances are installed judiciously, any chance for simplifying operations will quickly evaporate. “The whole appliance issue is a bit of thorn in the side of IT executives,” said Andreas Antonopoulos, senior vice president at Nemertes Research. “If each one is a silver bullet, what you don’t want is for your infrastructure to become a bucket of silver bullets. You need a framework to tie everything together.” Appliances are understandably popular as IT managers bypass the sometimes complex task of integrating hardware and software to solve a particular business problem. Instead, they simply plug in a dedicated computer or blade server configured by the vendor to work immediately. Typical appliances include the application and an operating system, sometimes a stripped-down version of Linux named juice or JEOS, which stands for just enough operating system. “People don’t have to know a lot about Linux or Windows or anything else,” said Adam Powers, chief technology officer at LanCope, a maker of network analysis appliances. “They just follow the installation guide by pointing and clicking their way through a simple Web user interface, and they’re good to go.” Many vendors also ease maintenance and upkeep by providing downloads of application revisions or security patches — sometimes feeding the changes automatically to the device through secure Web connections. The latest appliance designs take advantage of blade formats that slide into a rack-mount chassis to share power and power-protection resources. Meanwhile, such benefits continue to drive appliance sales. For example, security appliances, the largest category, could grow by about 37 percent to $5.5 billion in the next three years, said Victoria Fodale, program manager and analyst at technology researcher In-Stat. Unfortunately, potential problems may lurk behind those benefits, analysts say. For example, the flipside of single-purpose designs is a take-what-you-get reality. “The biggest historical problem with appliances is that people often want to make certain modifications; they don’t want quite what’s off-the-shelf,” said Gordon Haff, principal IT adviser at technology consultant Illuminata. “But once they start modifying appliances, you lose the benefit of having one in the first place.” What some call a conga line of appliances connected to an agency’s network can also present management problems, Haff said. “If you end up with many different appliances from different vendors throughout your infrastructure, you can potentially end up complicating your environment instead of simplifying it,” he said. However, some government IT managers say conflicts among appliances competing for network resources are rare. “The real question is [whether] you have a robust-enough general architecture that you can partition the architecture to take care of specific functions,” said Daniel Mintz, chief information officer at the Transportation Department. “It’s a bigger issue than whether appliances clash or not.” A valuable tool for organizations with a number of appliances is a central management console for troubleshooting and monitoring appliance performance. Many appliance vendors offer central management applications. “The management piece is becoming important because the way for some vendors to differentiate their solutions is through ease of management by having consistent interfaces,” Fodale said. However, many appliance vendor consoles work only for one company’s product line, necessitating monitors for each appliance category. A partial alternative comes from some more flexible, category-specific options. For example, companies such as Arc- Sight, IntelliTactics and NetForensics sell security information management systems that can provide central control for security appliances from a range of vendors. Broader solutions include enterprisewide network management systems, such as Hewlett-Packard’s OpenView and IBM Tivoli products, which can monitor a range of devices connected to internal networks. Appliance red flags include the automatic updates meant to ease users’ maintenance burden. Service contracts that pay for the updates can increase the cost of an “This is why hardware vendors love appliances,” Fodale said. “The box is just a fraction of the overall cost. You also may pay a license fee that you have to update every year.” Ongoing fees represent more than 50 percent of some appliance vendors’ revenue stream, she said. Security can also be a concern. Appliances are often self-contained, so users don’t always have tools to verify security settings in general-purpose servers. “I can’t get in there and audit it myself as a consumer,” Powers said. “I have to trust that the vendor has secured the box.” Fortunately, appliances that support two network management standards — such as Simple Network Management Protocol and Syslog — can automatically create a log of any change to a device’s configuration, such as adding a software revision, rebooting the box or removing it from the network. The logs provide proof for auditors that the equipment is being maintained to comply with security regulations. “Appliances are closed, so that means an administrator can’t just go in and blow away these logs,” Powers said. “It’s not even physically possible for them to do that, and that’s a good thing because the administrator, unfortunately, can’t always be trusted.” Meanwhile, some IT managers take a philosophical approach when weighing the pros and cons of IT appliances. The Education Department, which contracts with outside providers for many IT services, prefers to let those companies make decisions about when appliances are appropriate. “I don’t care if they use appliances as long as I’m confident they’re secure, they’re configured in accordance with all the government’s rules and we’re getting the level of service and outcomes that we contracted for,” said Bill Vajda, Education’s CIO. “If it costs the vendor $100,000 to do that with one device and 50 people or with 50 devices and one person, that’s their concern, not mine.”

Meeting virtualization

To some, the proliferation of single-purpose hardware appliances and space-saving server virtualization are contradictory trends. However, a maturing technology development may eventually bridge the resulting gap.

Virtual appliances combine the concept of single-purpose software solutions with virtualization’s aim to pack multiple virtual servers into a single machine. Virtual appliances offer the plug-and-play benefits of appliances, except they’re delivered entirely as software so organizations don’t have to add new hardware to their data centers, said Srinivas Krishnamurti, director of product management and market development at virtualization technology vendor VMware.

“Virtualization has opened up people’s eyes that a hardware appliance may be utilized only 5 to 10 percent of the time. So there’s a tremendous amount of computing power in that box that’s not being utilized,” he said. “So now people are asking, ‘What if I can get the same benefits of plug and play, but not get the hardware?’ ” Information technology managers at the Transportation and Education departments said virtual appliances are still too new to be part of their infrastructures.

But software vendors are warming to the market. Two years ago, only about six virtual appliances were on the market, Krishnamurti said. Today, IT managers have 600 choices that mirror the selections seen in hardware-based appliances, including ones for security, spam filters, firewalls and business intelligence, he said.

— Alan Joch

Executive summary

  • Special-purpose hardware appliances let agencies quickly deploy needed capabilities, such as security, search and storage. Having too many appliances can overwhelm information technology administrators and undermine agency configuration policies for device security.

  • Chief information officers should allow only appliances that provide system logs for verifying the devices' security profiles and are compatible with enterprise system management platforms.


  • — Alan Joch

    Appliances management

    Information technology appliances may make it easier to launch and maintain tightly focused IT capabilities, such as intrusion protection or network performance monitoring. Agency IT executives who want to avoid the money trap created by appliance sprawl should have staff members look for these features when evaluating new appliances.

  • Audit capabilities. Well-designed appliances shouldn’t require or allow IT administrators to customize security settings. Nevertheless, agencies still need documentation to prove the devices meet prevailing security regulations.


    Event logging can produce audits that show changes to the appliance, such as loading software revisions. For auditing capabilities, check whether a device supports Simple Network Management Protocol or Syslog, or both. Also ask the appliance vendor what specific types of events the device will log.

  • Central management consoles. Vendors offer add-ons for centrally managing their line of appliances, which reduces the time needed for monitoring performance or troubleshooting problems. Organizations that use products from multiple vendors for an appliance niche should consider consoles such as security information management systems that can help manage security appliances. Appliance-heavy organizations that need to manage devices from multiple vendors that cross multiple product categories should make sure their appliance choices support enterprise management systems, such as Hewlett-Packard’s OpenView or IBM Tivoli products, said Apurva Dave, director of product marketing at appliance vendor Riverbed Technology.


  • — Alan Joch












    Concrete benefits














    Management trade-offs






































    NEXT STORY: Secure desktops not just for Vista