Enterprises that are under pressure to reduce data center management overhead and power consumption are looking
to consolidate network security infrastructure. Vendors are adjusting their offerings accordingly with choices that range from multi-vendor software on an open chassis to integrated security on network infrastructure components.
Cisco Systems has long had the Firewall Services Module (FWSM), a blade that plugs into its Catalyst 6500 chassis switch so that enterprises can deploy security directly in the cores of their networks. Enterasys Networks has written security technology directly into its entire switching portfolio.
"That's the benefit of the Firewall Services Module," said Todd Schmitzer, manager of networking, telecommunications and security for Santa Clara University. "It's just a blade sitting in a chassis. And the chassis has to be there anyway."
Network security hardware and software vendors have also consolidated various network security technologies – including firewall, intrusion prevention and detection and VPN technology – into single appliances. Juniper has done so with its ISG Integrated Security Gateways and its SRX Series Services Gateways, and Cisco has developed the Adaptive Security Appliance 5500 Series. Other vendors, such as Check Point Software, Fortinet and SonicWall began rolling firewalls, IDS/IPS, antivirus, antispam, content filtering and other technologies into unified threat management (UTM) appliances a few years ago. All of these options reduce management and power consumption by lowering the number of physical security boxes enterprises need to deploy in their data centers.
Consolidating network security software onto a large chassis
Fiserv Inc., a $4.1 billion financial services technology company that processes online banking transactions for thousands of financial companies, consolidated a significant portion of its network security infrastructure after it started exploring an upgrade of its firewall technology, said Rich Isenberg, Fiserv's director of information security.
Isenberg's legacy Check Point Software firewall deployment had become bottleneck on Fiserv's rapidly expanding network about seven years ago.
"We were at a hyper-growth point at that time," Isenberg said. "Our firewall infrastructure was becoming a chokepoint on the network. We were using Nokia boxes to run Check Point firewalls and they just could not keep up with the traffic. We had to add more boxes to get more capacity."
Rather than loading more Check Point firewalls onto more Nokia IP Appliances and racking them in Fiserv's data centers, Isenberg hired an independent lab to do a bakeoff with products from various network security hardware and software vendors. The lab determined that Check Point's firewall software running on network security chassis hardware from Crossbeam Systems would best meet Fiserv's requirements. Crossbeam manufactures a series of 4-, 7- and 14-blade modular chasses with 5 to 40 Gbps of throughput that are designed for running a variety of third-party network security products.
"We looked at [Crossbeam] initially as just a way to stabilize our firewall hardware," Isenberg said. "What we ended up doing was consolidating our firewalls as well as our intrusion detection hardware onto this core platform in all our data centers. We reduced the number of physical firewall and intrusion detection appliances [in our data centers] from 23 down to seven. In subsequent years we've also added our database firewalls and our web application firewalls onto the Crossbeam hardware."
Isenberg said the reduced management overhead of his consolidated network security infrastructure contributed to a return-on-investment for the capital outlay on the Crossbeam chasses within four years.
"It gave us high availability and stabilization while allowing us to keep our operating margins low," he said. "We needed fewer people to work on [network security hardware and software] since we reduced the number of actual boxes we had. Instead of upgrading 50 pieces of hardware and doing a set of tasks 50 times, we just have to do it seven or eight times. We were able to grow our business without having to scale head count at the same level. We also reduced the number of license and maintenance fees we needed."
Security infrastructure consolidation: Going multi-vendor
Since many network security infrastructure vendors offer their products as closed platform hardware appliances, a multi-vendor approach is tricky. However, there is the option of consolidating multiple network security software products from various vendors onto a single piece of hardware, such as a Crossbeam chassis or a more general purpose blade server chassis from IBM, HP, Dell or HP. The options for this approach expanded a little last week when McAfee, which has traditionally sold its enterprise firewall product as a hardware appliance, announced a new deal to run its firewall on Crossbeam's chasses.
The multi-vendor approach made possible with third-party hardware like Crossbeam's has suited Isenberg at Fiserv.
"Crossbeam allows us to select best-of-breed security products and run them on the same box. If we need an intrusion prevention blade, we can load up an [IBM Security Network IPS]. We can load up Sourcefire and put that on a blade next to it. We can put a web application firewall and a database firewall from Imperva on another blade."
The chassis approach also allows Fiserv to add capacity to his network security infrastructure as it's needed.
"You can put a Check Point firewall on one blade and if you run out of capacity you don't rack another box," he said. "You just put another blade in the chassis. It's kind of like capacity on demand without having to make major changes to the network. I don't have to re-cable anything or take the time to add additional hardware. And it's all on the same backplane, so you don't have to worry about tap ports and span ports and where you're going to route all this traffic through."
When enterprises consolidate network security software products onto third-party hardware, they must make sure the software and hardware vendors work well together or network security infrastructure managers will find themselves dealing with too much complexity. For instance, Crossbeam has joint go-to-market partnerships with vendors like Check Point and McAfee. Putting a Check Point firewall on a standard server is another matter.
"There are products sold where you can buy a server and put software on it," said Schmitzer of Santa Clara University. "I'm not averse to that, but part of the decision comes down to complexity. What is the complexity of the deployment, the relationships involved? Do you really want to have two vendors in a point security solution, where if something goes wrong you have fingers being pointed? It's better to have a vendor partnership than two vendors that you have to pull together yourself."
Although Schmitzer's firewall infrastructure now consists of Cisco's FWSM in his Catalyst 6500 core and Palo Alto Networks firewalls at his perimeter, his legacy firewall deployment a decade ago brought this issue of managing network security hardware and software vendors together into focus. At that time he bought Check Point firewalls on Nokia IP Appliances, which made sense because the companies had a tight partnership. Check Point has since bought Nokia's hardware business.
"If we had gone with Check Point and gotten our own platform to run it on, it would have been too much overhead to try to build and package the solution ourselves," Schmitzer said. "The Nokia-Check Point partnership was a good relationship. From the customer perspective, you had two vendor's products sitting there, but you had a single platform perspective."
Focus on the applications – not the appliance
Regardless of how the different network security hardware and software vendors deliver their products, enterprises shouldn't lose sight of the software running on the physical boxes, according to Mike Rothman, analyst and president of research firm Securosis.
"First and foremost it's more about the technology and the software than it is about the appliance and the deployment model," Rothman said. "The question is: Are you going to go with Cisco or Check Point or Fortinet or someone else? That tends to drive the overall discussion rather than, 'Do I want software on industry standard hardware or do I want it on an appliance?'
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor