This article can also be found in the Premium Editorial Download "Information Security magazine: Help! Evaluating AV solutions and tech support."
Download it now to read this article plus other related content.
The idea that there's some sort of "security appliance market" is ridiculous. As an analyst, I track scores of products in 36 categories, and there are vendors who sell appliances
This means that an appliance is nothing more than one alternative among offerings that include software, blades and managed services. Hence, the NetScreen firewall appliance competes with Check Point software firewall; the Sourcefire IDS appliance competes with Internet Security Systems' RealSecure software; the nCircle vulnerability scanner appliance competes against the Qualys service. And so on.
Here's the rub: Not only can functionality differ significantly, but so can the benefits an appliance brings to the table, depending on what's under the hood.
The initial benefits of all appliances are that they're self-contained, fully functioning units, complete with bundled applications, hardware, OSes, database, middleware and/or any other required software in a single unit. The ultimate expectation, then, becomes comprehensive support. There's no finger pointing among software providers and no telephone tag with enterprise support when a problem occurs--the vendor owns the box and everything in it. Support expectations and SLAs are the first things an enterprise should verify when evaluating an appliance.
Another expectation is ease of implementation. Appliances usually come preconfigured to meet the application's needs, which make sense for the vendor and customer alike. The real driver for implementation ease, though, is the application itself, not the underlying platform, so don't expect too much unless the application is fairly simple.
Appliances can also maximize performance, but this is where the whole "appliance" notion gets tricky and where one must evaluate inline appliances differently than out-of-band implementations. While appliances generally provide performance gains, no vendor provides it the same way. In some cases, the appliance uses ASIC chips customized for the primary application and function. Usually, the extent of chip-based operations as an overall percentage of functional use will drive the likelihood of performance gains over software.
Because appliances are mixed bags, enterprises should consider these issues during purchasing to make sure they are buying more than just a hyped-up software package. After all, you don't want to end up with a juice mixer if you are looking for a refrigerator.
About the author:
Pete Lindstrom, CISSP, is research director at Spire Security.
This was first published in October 2004