In-Depth

Q&A: Stopping Blended Threats with Multi-Function Security Appliances

Why small and medium-size businesses, and satellite offices, are increasingly adopting multi-function security appliances.

• By Mathew Schwartz
• 05/09/2006

Are standalone firewalls and intrusion detection/prevention systems (IDS/IDP) now relics?

Companies are increasingly adopting multi-function security appliances—single appliances containing multiple, previously standalone security technologies. In fact, one survey says more than a quarter of companies plan to adopt, or already have adopted, such appliances, though 42 percent of companies notably aren’t interested in the technology at all.

The survey of 438 technology buyers in the United States, conducted by Forrester Research in September 2005, also found the top features respondents desire in a single security appliance: IDS/IPS (81 percent), a network firewall (75 percent), e-mail security (74 percent), Web content filtering (63 percent), and an application firewall (60 percent).

To discuss such trends, we spoke with George Sluz, group product manager for the Symantec Gateway Security product family.

Why and how are some companies using unified security appliances?

Especially for the mid-market customer, up to the medium enterprise … over the last few years, the nature of security threats has evolved. Whereas a simple firewall device could catch a lot of attacks [before], a new type of threat—the blended threat—requires multiple types of technologies on the gateway device. Attackers today might try well-known passwords, mail viruses, open ports [facing] the Internet.

What can today’s unified threat appliances do?

Antivirus, firewall, intrusion prevention, and, in some cases (for legal-compliance reasons), you also have to do content filtering. … [Then] we have just added new anti-spyware and anti-adware protection; also, low-cost connectivity. … With the advent of broadband—and low-cost telephony services, even the largest enterprises [with dedicated phone lines for an appliance] are saying, “Why do I have to continue to pay for a leased line to all [my] sites?” … So what we allow customers to do is … get connectivity to two different service providers [for failover]. The probability both will be down at one time is very low. …

Now, the big decision isn’t if I deploy all these things, but how I deploy all these things. Customers can choose to deploy multiple security products from different vendors, depending upon what they like for all these different functions. But [sometimes] … it’s much more cost-effective for them to get a unified threat management appliance like a Symantec Gateway Security that has all these functions in place.

Who’s looking for content filtering in an all-in-one security appliance?

For some government regulations, you have to keep [certain content] from coming in and being on your systems. The way most providers handle this is they do worldwide checks, and have huge databases built up on the sites which they allow users to access, [including ratings] by category and severity.

But there’s a certain class of site that constantly moves its IP address. … So we’ve implemented [content] filtering. … If a user is connecting to a site and getting content, in addition to checking against the URL … we’ll still scan the content of that site as it’s coming through the gateway. Then as it’s being checked, we’re doing an on-the-fly categorization to see if it blocks any categories—per your rules—then we’ll go and block it automatically.

Which types of organizations are subject to such content-screening regulations?

Government offices, government contractors. … Other enterprises have policies for Internet use, and they forbid users from accessing certain types of sites.

Is Symantec discontinuing any of its single-function security appliances?

We’ve pretty much abandoned our line of firewall or firewall/VPN-only devices, and we’re moving all of our products into our Symantec Gateway Security, which covers this market called unified threat management.

Have larger enterprises adopted unified security appliances?

There are a lot of larger enterprises that prefer to deploy point products, and it’s not necessarily that it’s best of breed; it may be because of the functional deployment in the organization [such as a staff member dedicated to firewalls]. … Whereas in a small or medium enterprise, they might not even have a dedicated person; they may have someone in IT who knows how to configure a firewall.

But in the enterprise, there may be a staff member that deals just with antivirus, another that just deals with intrusion prevention, or content filtering … and by the nature of that specificity of function, each of those [people] wants a dedicated device that only they can control. …

Don’t many centralized IT departments also support satellite offices?

Yes. … Those enterprises also have other sites and it really doesn’t make sense to deploy six, seven, or eight different security devices, with different management interfaces, at each site. … [In fact,] we can tailor the management interface to restrict control of a function to a certain group.

What they’re finding is, if … the performance of the Symantec Gateway Security line is appropriate … [then] it’s actually cheaper for them to deploy it [rather than point products] at smaller sites, because even at sites where they have six or seven existing security technologies, they save in overhead and ongoing costs. They don’t have to buy the extended warranty and maintenance on seven devices; they can just do it on one. Then there are the six or seven management interfaces you don’t have to provide training on for all new [IT] employees.

Related Articles:

• Q&A: The 2006 Threat Landscape
• Q&A: Enterprises Shift to All-in-One Security Appliances