|
||
|
|
|
              |
|
 |
 |
|||||||||||
|
 |
|
|||||||||
By William Van Winkle |
|||||||||||
Guardians at the Gate In every broad discussion about computer security, there is one inevitable question: Software or appliances? The answer "both" is most common, but we have some thoughts on this in the present context. While interviewing vendors for this article, we slowly realized that nobody was making an effort to discuss software. Sure, there are iterative updates worth noting, such as Symantec Norton Antivirus Corporate Edition 10.1, which recently added support for rootkit threats and better centralized graphical administration tools. And you get little competitive advantages between vendors, such as Trend Micro's ability to block new malware threats based on general policies rather than having to wait for new signature files to emerge. But overall, the software space is very mature, and many if not most accounts have client and server suites in place that merely get renewed every year. Sure, grabbing a couple points in this renewal business is easy money, but it's not where the market excitement is at today. Appliances are, in general, fresher on the market and largely uncharted territory for buyers. One could also argue that appliances have a better value proposition for SMBs. "Updating a single device versus maybe 800 desktops with a new signature or policy is much quicker in a central location than trying to disperse it around," says Jon Clay, product marketing manager for Trend Micro's SMB segment in North America. "The ability to protect your company very quickly by doing it at the gateway is very beneficial." There is also the angle of system resources to consider. Take the example of spam in corporate email traffic. According to Trend's Clay, some estimates peg spam at being 70% of all email. Say a company receives 100,000 messages on a daily basis. Given the 70% figure, 70,000 of those will be inappropriate messages that should be blocked and removed. So the Exchange server only needs enough resources for 30,000 daily messages (plus some growth overhead), and the company doesn't need to invest in extraneous hardware or processing capacity. Server-side software security packages obviously require buying a server. With appliances, there is no additional hardware to buy. Also keep in mind that a small business may only be running a single SBS server to handle all of its communications. Additionally, end-users aren't wasting productivity deleting unwanted messages or worse—clicking through on spam links. "When you take a laptop and connect at Starbucks or a hotel or wherever—ways that are not behind your firewall—you're not protected behind your perimeter," notes Brian Foster, senior director of product management at Symantec, with a more mobile-centric view in part because of the company's new Client Security 3.1 suite. "You could have the best perimeter protection in the world, but if that laptop leaves the perimeter with critical data on it, you're open to hackers. "Now turn that around. If you put perfect protection on all your laptops, there's still a need for perimeter protection. Medium and large businesses in particular need perimeter protection primarily for their servers. Because those machines don't move, it doesn't make as much sense to install software with deep packet inspection and so forth on all of them. You just put a perimeter around all of them for more effective management." VPN/Firewalls So having said that there's still a viable, profitable market for security software, let's take a closer look at the appliance space. The traditional appliance model has leaned toward dedicated application boxes, such as one to address VPN/firewall, another for antivirus/antispam, and so on. But newer designs are tending toward an all-in-one approach called unified threat management (UTM). This isn't to say that the VPN/firewall appliance is dead—quite the contrary. A unit such as Cisco's PIX 525 is targeted at medium-sized businesses and larger needing highly scalable firewall protection and VPN functionality. (The PIX 525 also targets VoIP deployments with advanced quality-of-service configuration options. Lower-end PIX 500-series models are available for smaller businesses.)
Such appliances are a sensible fit for environments where traditional software security suites or other gateway devices are already in place to provide services such as antivirus, content filtering, intrusion prevention, and so on. The trouble is that a lot of SMBs don't need Cisco-class scalability. Ease of configuration and management combined with solid protection is what most clients are seeking, and the market now has an abundance of suitable options. No better example exists than D-Link's just-released DFL-210, a SOHO VPN/firewall with a street price well under $400. The DFL-210 may look like a consumer router, but under the hood it's all enterprise-class security. The DMZ port for local servers can serve double-duty as a WAN fail-over port. There are four trusted Fast Ethernet ports, and D-Link throws in content filtering, intrusion detection, and QoS prioritization on top of 100-tunnel VPN support and surprisingly advanced firewall options for an appliance in this price range. In a product group that is becoming increasingly ordinary, the DFL-210 stands out with exceptional value. "VPN/firewall functionality, the core of most integrated security appliance products, is truly reaching the commodity stage," said Jeff Wilson, principal analyst at Infonetics Research, upon announcing his recent Network Security Appliances and Software report. "New silicon vendors are making it possible for manufacturers to build and sell multi-gigabit VPN/firewall appliances for under $5,000, with that number declining rapidly over the next year. In addition, new security vendors are building Ethernet switches that offer full security on every single port at very affordable prices, driving prices down and making competition fiercer for all integrated security products."
According to Infonetics, while the bulk of the $23 billion worldwide 2005 VPN services market still rests with enterprises, 21% came from small organizations. This shows that there is a definite opportunity for resellers wanting to take over remote security management for their clients. From performance monitoring to maintenance to log analysis, many companies just don't want to devote the man hours to tending the organization's security systems, even if the knowledge to do so is within their grasp. This is an open door for resellers to perform such services for a reasonable monthly or annual fee while still profiting on the initial deployment, license renewals, and ongoing infrastructure upgrades. The trick is allying yourself with vendors who not only make services-friendly products available but will educate you on how to perform those services. Unified Threat Management UTM appliances often get saddled with the reputation for being cheap, a box that does a little of everything but nothing particularly well at a price that makes it hard to complain. Certainly, there's no shortage of products fitting this description, but there are also many exceptions, and of these one of our top picks is Symantec's Gateway Security 1620. "You have different kinds of traffic at the perimeter that are going to be scanned, right?" asks Symantec's Brian Foster. "There's SMTP traffic, which is covered by your mail security type appliance. You also have HTTP traffic, FTP traffic, etc., and you might have different appliances looking at each type of traffic. That makes sense from an efficiency and bandwidth perspective. SMTP is a store and forward protocol; you don't know you have a message until you receive it. Protocols like HTTP are realtime as you're browsing sites. So you may want a stand-alone HTTP appliance for performance reasons. But by and large, customers are moving to the multi-function appliances because they're easier and just make more sense from a price/performance perspective." Priced at a modest $899, the slender Symantec 1620 box integrates a full-inspection firewall, gateway antivirus protection, intrusion prevention and detection, anti-spam, anti-adware, anti-spyware, URL-based content filtering, IPsec, and SSL-based VPN technologies. The LiveUpdate patching processes you've probably seen in the Norton desktop products apply here, as well. The 1620 targets businesses up to 100 users but can accommodate up to 200. All functionality can be managed via browser from anywhere, including the reseller's back room or a sub-contractor's site, and the device's setup is wizard-based for maximum ease and speed. You can deploy two 1620s for load balancing and/or fail-over assurance (Symantec's management software will detect both and assist with the appropriate configuration), and the setup routines even guide admins through selecting a secondary ISP to guard against service loss. UTM devices like Symantec's 1620 are an excellent fit for customers leaping from one security type to another (say, client software to appliance) or from one security manufacturer to another. But not every customer wants an overhaul. Many are perfectly happy with one of more of the security elements they already have in place. In such cases, an appliance that covers more functionality than a dedicated device but less than a UTM becomes desirable. Secure Content Management A solid candidate in this category is Trend Micro's new InterScan Gateway Security Appliance (www.trendmicro.com). The IGSA is a secure content management (SCM) appliance, meaning a box that involves a combination of hardware and software to perform primarily messaging security, Web filtering, and virus protection tasks. In essence, the SGM segment tackles the functionality not handled by the VPN/firewall appliances so ubiquitous in 100-user and higher corporate environments. The IGSA is a 1U Linux appliance sporting a 3.0 GHz Pentium 4 and 1GB of RAM, loaded with Trend's security applications. Various IGSA SKUs range from 100 to 1,000 users, but one advantage of this box is that the only difference between the low- and high-end models is the licensing. All it takes to turn the 100-user model into a 1,000-user IGSA is a download. The device drops in between the firewall and the router, configures in a snap, and automatically starts monitoring traffic using HTTP, FTP, SNMP, and other protocols that carry essentially every major major malware threat facing today's companies, including phishing and botnet attacks. One notable perk with the IGSA is its Damage Cleanup Services, which can perform virus and spyware removal for desktops and servers—a handy way to get conventional software functionality without having to pay extra for it. "If you look at threats today, the majority are coming through the gateway, whether it's mail or Web traffic," notes Trend's Jon Clay. "So instead of having to buy two devices because one does mail and the other may be a spyware device, you have one device managing all of your threats. Resellers and customers don't need to worry about forgetting something and not covering one of the threat areas. Another thing is we've improved our spam blocking in this box. False positives are very low. We've also added automated threat protection, so for new threats that occur, we can send out new policies that aren't based on the signature that a lot of companies have to wait for." Clay adds that resellers should take care to emphasize content filtering as a security service. This is no longer a small concern left hanging on from the days of Net Nanny. According to an early 2006 report by security solution provider Burstek that surveyed over 10,000 employees in seven industries, 20% of all Internet access at work is for personal purposes, accounting for 21% of the company's bandwidth costs. More than 8% of this personal use presented a legal liability risk to the company (pornography, gambling, hacking, and similar sites), and almost 20% of personal use carried with it a security threat through participation in illegal file sharing, unintentional spyware downloading, and so on. Almost three-quarters of this activity reduced employee productivity. All it takes is one thwarted security breach, server failure, or harassment lawsuit for an effective security appliance to pay for itself several times over. UTM Goes A La Carte There's another type of appliance worth keeping in your arsenal: the a la carte UTM box. These are less common, but we found an intriguing example in ZyXEL's ZyWALL 5. This unit is aimed at the SOHO market and can handle up to 10 simultaneous VPN connections on top of being a four-port Fast Ethernet LAN/DMZ switch. The box also offers firewall, antivirus (from Kapersky), intrusion detection/protection, anti-spam (from Mailshell), QoS traffic management, and content filtering (from Blue Coat). All of these services are included out of the box, and owners must register the appliance and set up a free account with ZyXEL in order to use them. However, the antivirus, intrusion prevention, spam blocking, and content filtering are all provided on a trialware basis. (We particularly like the dynamic content filtering, which offers dozens of category types and allows admins to craft customized messages for transgressing employees. The witty remarks one could have ready for employees visiting intimate apparel or sex education sites is fun to ponder but no doubt a legal firestorm in the making.) Continued use requires a subscription, and the reseller does get a piece of this.
Interestingly, the ZyWALL 5 (and some other members of the ZyWALL family) were designed over three years ago, when the world was a simpler, less demanding place. Fortunately, ZyXEL built a PCMCIA slot into the appliance's backside that has since been but to inventive use. "Intrusion detection and protection services are very performance intensive," says Jake Saila, marketing communications manager for ZyXEL. "You can just add the services on existing firewall/VPN devices, and it'll work, but the performance will degrade significantly. So we came out with this Turbo card that brings up the performance. Our ZyWALL 5, 35, and 70 come with wireless card slots, and you can use this Turbo card in that slot. So you get all the value-added features, but the performance remains the same. There is no degradation." Specifically, on the ZyWALL 5, UTM performance without the Turbo card was less than 1 Mbps; with the Turbo card, this rises to 12 Mbps. The only downside here is that the ZyWALL 5 has only one PC Card slot, so users must choose between 802.11b/g functionality (not included) or the extra performance of the Turbo card. Still, the bundled Vantage software is a slick central management system able to maintain hundreds of clients with multiple domains and admins—very handy for resellers running their customer's security. And Vantage makes establishing VPN connections no more difficult than looking at a graphical map of the network and clicking on the two points to join securely. It's that brainless. Vantage's logging and reporting capabilities are extensive for such a low-end appliance, but some of the hardware capabilities are more mid-range, too. For example, ZyXEL builds a "VPN high availability" feature into the firmware so that if a concentrator at the central office goes down, the appliance can fail over to a secondary gateway address and maintain the VPN connection. Higher-end ZyWALL units offer hardware appliance fail-over and multiple WAN connections. Getting Personal Occasionally, you stumble across persuasive security hardware that doesn't fit in the usual appliance mold. For customers you've outfitted with ZyWALL appliances for the central or branch office, there may still be concerns over protecting remote individuals, particularly traveling executives, sitting on critical data. For these, the ZyWALL P1 Personal Internet Security Appliance may be in order. The P1 is about the size of a PDA. In a nutshell, it is a personal firewall/VPN box with a WAN port, LAN port, and a mini USB port from which it can be powered. (An AC adapter is also included, but you can't have the AC and USB plugged in simultaneously.) Once admins use a browser to configure the device for connection back to the corporate mother ship, all the user need do is plug in the device and he's on an instantly secure VPN connection accompanied by firewall protection. Could you do this with software? Sure, but it might add complexity for the user. Moreover, the P1 is a snap for admins to manage remotely. An extra perk for the P1 is the fact that it can easily hop between networks and their respective security policy settings. Last but far from least, what about a UTM appliance for homes and microbusinesses (under 20 employees)? Why not? All of the reasons why someone would want a UTM in the SMB space still apply in the home. And really, with so few seats and so little horsepower needed for only a handful of users, you could practically get away with following the inkjet printer mode of marketing: Give the hardware away at cost and make a mint over time on the consumables. And thus was born D-Link's SecureSpot, announced early this year, delayed while the setup processes and interface were revamped for absolute newbies, and now finally shipping in force. The SecureSpot (DSD-150) protects up to four PCs out of the box, and additional licenses can be bought for up to 25 users. The unit retails for $99.99 with additional annual licenses costing $19.99 each. Renewing the SecureSpot's four seats costs $79.99, and additional license renewals remain at $19.99. The SecureSpot sits between the broadband modem and the router. The device covers everything a home home user might need: antivirus, anti-spam, anti-spyware, content filtering (now called parental control), popup blocking, intrusion protection, firewall, and all the reporting a homebody could stomach. D-Link calls this whole feature set Sentinel. Now, what many people don't know is that Sentinel is a service, not a hard-wired feature, which is why you can also circle back to everyone to whom you've ever sold a D-Link gaming router (DGL-4100 or wireless DGL-4300) and have them add on the 4-user Sentinel service for $80. The missing ingredient is all of the extra UI and wizard work D-Link poured into refining SecureSpot for a broader audience. The SecureSpot and/or Sentinel's value proposition is substantial. All those users paying $50 a year per machine for a security suite (and often only a partial, not a unified, suite) would likely embrace the lower TCO and easier manageability of the SecureSpot. And for all of us who've drummed our fingers at the hiccups and delays of client-side security suites, having a solution at the LAN's edge will be a welcome improvement. There is only one downside for resellers: Because the Secure-Spot is a consumer product, you don't get a piece of the license renewal revenue. Also, you're unlikely to get hired on to manage a consumer's LAN security. So it goes. Safe and Sane IDC numbers indicate that the overall 2006 security market hovers around $45 billion, and if you're not getting your fair slice of this massive pie, there's something wrong. The problem may come down to basic education. You can't sell what you don't know about. Fortunately, the differences between SOHO security and medium-sized business security are sometimes only a matter of scale. The fundamental nuts and bolts remain the same.
The obvious place to begin is with anything and everything your manufacturer partners can offer. This starts with white papers, spans up through webinars and online training, and perhaps finally culiminates in some sort of certification(s). But don't stop there. Most major distributors have focus areas or programs in security. Seek out community college courses and training through industry organizations such as CompTIA. The more you know, the bigger the contracts you can win and the more you can charge for your services. We've covered two major areas here, foundational components and edge appliances, but there are plenty more. Find one or two vendor partners for security software and you may just discover that they also offer hosted security services for corporate communications. Symantec Hosted Mail Security and Trend Micro's Enterprise Security Service are two prominent examples. For customers who want a completely hands-off approach to their security, this is the way to fly, and you'll never make easier commission revenue than this. Just dig in. The need for security only continues to rise, and the deployments you make could literally mean life or death for your clients' businesses. Help them to live and you'll flourish in the process. |
|||||||||||
 Back to top
|
|||||||||||
Copyright © 2007 RAM Magazine. All rights reserved.
Do not duplicate or redistribute in any form. |
|||||||||||
