Consolidated security: Good or evil?

ITKnowledge Exchange member "networksecure1" needed to know if all-in-one network security tools were all they were cracked up to be. Fellow techies jumped in on the conversation and helped out. Here is a portion of the thread.

ITKnowledge Exchange member "networksecure1" needed to know if all-in-one network security tools were all they were cracked up to be. Fellow techies jumped in on the conversation and helped out. Here is a portion of the thread. Read the rest of the thread.

Want to join in on a similar conversation? Register for ITKnowledge Exchange and fill out your profile so you can ask specific sets of people your IT questions and also help out your fellow geeks. Anyone can read answers already provided to questions, but only registered ITKnowledge Exchange members can ask questions or add to threads.


ITKnowledge Exchange member "networksecure1" asked:
I'm a IT director at large media firm in New York City. Considering our security overhaul in recent months, the business is looking to consolidate the office's environment. The talk of the town is to have an all-in-one device that contains a firewall, IDS, VPN and so on. I thought a layered security approach was the way to go, but it seems some security groups have different ideas about the implementation of that.

What are your thoughts about the products like Cisco ASA and Fortinet's tools? Does Nortel has something comparable to Cisco's ASA device?

"ASTRONOMER" WRITES:
There is a lot of marketing hype for all-in-one solutions now. This is very good for the vendor. It locks you into using them for everything.

Now, let's look at it from the users' perspective. If your team has no/limited knowledge, then a single contact point has a lot going for it. You won't get fingers pointing at the other vendors as the problem. They can walk you through a complete solution. The disadvantages involve having all of your eggs in one basket. If they can't address a security problem (like we just had with our spam appliance), you are stuck.

A related issue is: How good is each part of the all-in-one solution? Remember, you won't have the option of choosing each part separately based on individual merits.

If your team can handle variety, you can buy some significant extra security with multiple vendors and the corresponding multiple systems. We currently use two firewalls with a pix on the inside and openBSD on the outside. When we install e-mail relay servers in the DMZ between these systems, we will be able to address the vulnerability of our McAfee box.

The other big issue I see with single solutions is when that single box is compromised or bypassed, the cracker is all the way into your network. If you had our architecture but with a pix on the inside and outside, then a cracker who figured out how to get through the outer pix could use the same techniques to get through the inner one. In our current environment, if someone cracked the BSD, he would discover the pix required a very different approach.

I see single-box solutions as a poor choice for all but very small organizations. I am sure the vendors will differ.

itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke

"ENGINEERIT" WRITES:
What I have learned from my little experience:

  • Never rely on single vendor
  • Never rely on single technology
  • Never rely on single system/device
It is always a good practice of having mix-and-match vendors, technologies and devices.

One vendor may be good at one technology but, at the same time, another may be better for another technology and system.

Our approach and policy is to select the technologies and systems from different vendors, and after evaluation select the best one.

Cisco ASA is no doubt a good product as long as you have an expert to properly configure and make best out of it. Fortinet, too, has a good name. Although I have not used and do not know many people using it.

itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke

"SOLUTIONS1" WRITES:
The architect's dictum that "form follows function" pertains. If you have a security architecture shaped to address security and overall business objectives, then the "fit" of a particular appliance will flow from that architecture. For some media companies, the NO. 1 security objective is to restrict internal information flows internally to wall off one client's proprietary information from another's, while for others it is to secure the supply chain (e.g., from creation to print and distribution). An "appliance" widget may or may not adapt to your particular priorities.

itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke*itke

"TOMLIOTTA" WRITES:
I suggest you go to SecurityFocus.com and run a search on the PenTest forum for "all-in-one." There are numerous threads there that debate the question, and all sides are presented. The thread that comes up from the search is a decent one.

In general, an all-in-one often puts limits on best-of-breed for each function while simplifying management and consolidating contact to a single vendor. The balance is your choice.

Arguments that are no longer relevant include single-point-of-failure, which is addressed by redundancy and failover, for example.

The entire list of all aspects is long. In the end, nobody from the outside can know enough about your environment to give anything but the list of arguments, and the PenTest forum is a good list.


This was first published in June 2005

Dig deeper on Network Security Best Practices and Products

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close