Back in September of 2001, SearchSecurity's sister publication Information Security magazine published an article in which I addressed concerns regarding general-purpose servers versus purpose-built security appliances. Since then and despite their expense, security appliances have become the foundation of the modular enterprise. As an introduction to my upcoming SearchSecurity webcast Security appliances: Hype vs. reality, let's take a brief look at some of the success factors that have contributed to the popularity of security appliances.
When it comes to comparing appliances and servers, three major factors come into play: security, reliability and cost. Appliances claim to be more secure, more reliable and less costly to manage. Some appliance vendors also tout "wire speeds" and processing speeds that can only be achieved by their purpose-built appliances.
Appliances with stripped-down hardened operating systems are usually more secure than general-purpose servers, often since unnecessary services and code have been removed. A stripped down system is a smaller target. Conversely, a general-purpose server often has lots of extras left running that can get you into trouble. At least one vendor -- Redwood City, Calif.-based Check Point -- has blurred the line between specialized appliances and general purpose servers with its SecurePlatform product, which converts a generic server platform to a firewall running on a hardened custom OS.
MORE INFORMATION ON SECURITY APPLIANCES:
The claim of increased reliability is a toss-up when comparing appliances and servers. Today, many CPUs, drives and motherboard-chipsets are nearly identical on both servers and appliances. Thus, neither technology has an edge over the other when it comes to reliability.
Cost starts as an advantage for general purpose servers using stock parts, but the cost savings evaporate if you make a software support call and must also diagnose your hardware. Appliance support contracts usually cover both hardware and software, thereby simplifying the support cycle and lowering overall costs. But many of these support contracts are just short of highway robbery, with annual maintenance fees for 24x7 support and software upgrades that border on stratospheric.
While it is possible to run a firewall, VPN, antivirus server or content filter on generic hardware, performance must be pumped up by adding specialized hardware, often in the form of function-specific ASICs. ASICs, the specialized chips optimized to do one or two things really well, run circles around their generic CPU cousins.
Recently I ran a debug on two firewalls running similar traffic loads, one with custom ASICs and one without. One firewall was brought to its knees and was barely able to pass traffic. The other one, a NetScreen with custom ASICs, barely registered an increase in CPU utilization and passed traffic normally while running the debug.
VPN appliances, such as those used for SSL and IPSec connections, regularly employ ASICs for the grunt work of encryption and decryption, performing intense feats of computational activity while barely breaking a sweat. Non-ASIC-based generic boxes performing VPN duties could not dream of achieving the same levels of throughput, relegating generic servers to lighter workloads with fewer VPN tunnels.
IDS appliances present another interesting case. Generic hardware running Linux performs as ably as more expensive appliances. Only when the load and network speed increase does the need for an IDS appliance become imperative. Generic servers often fail to handle gigabit throughput and the thousands of data points per second as well as custom IDS appliances, which explain why pricey IDS appliances have a virtual lock on the high end of the market.
But all is not lost for generic servers, especially since new high-speed serial busses that hyper-transport data paths are moving further into commodity hardware, making data-busting intelligence available at low prices. Data storage is already seeing generic server hardware, coupled with the next generation of Serial ATA cards and drives, creating robust, speedy and secure storage servers that pays little, if any, penalty over specialized network attached storage.
Antivirus servers are still a hold-out in the generic server category. Companies, such as Trend Micro have begun developing low-end appliances, but Symantec and McAfee still run primarily on servers. Trend Micro (and others) will have to reach gigabit speeds before network-layer antivirus appliances become more common.
During the upcoming SearchSecurity webcast I will probe deeper into the criteria of security, reliability, throughput, support and cost of appliances versus servers. I will also examine ease of deployment, mission flexibility, common criteria certification and other issues that impact the sever-versus-appliance decision.
About the author
Scott Sidel, CISSP, is a Technical Editor for Information Security magazine. By day he leads a security team for Computer Sciences Corp at the National Institute of Health.
