Best-of-breed or integrated solution? For years, IT departments have struggled to answer that question. Network vendors, such as Cisco and Juniper Networks, have carved out leading positions in WAN security, but along the way, dozens of third-party providers have emerged, offering features that often outdo the incumbents. Now IT pros must weigh the pros and cons in each type of provider, taking into consideration factors that range from cost to ease-of-management. What’s more, they’ve got to keep an eye on the emergence of virtual network security appliances and new programmable network architectures.
Why University of Kentucky chose Cisco as a WAN security vendor
The University of Kentucky operates a WAN that provides access to 28,000 students and 12,000 staff and faculty members. The university relies mainly on Cisco routers and switches to move information from place to place, so when the network was deployed years ago, the IT team opted for Cisco firewalls.
One reason for that choice was that the integrated approach required less training. Typically, network vendors offer solutions that work with a common user interface and set of commands. “Our techs are more efficient because they only have to learn how to use one interface in order to control our network equipment and security solutions,” said Doyle Friskney, CTO at the University of Kentucky.
In the old days, layering firewalls and anti-malware on top of switches and routers seemed quite natural. “Network devices provided clear demarcations between internal and external communications and were a good place to install needed security checks,” explained Pete Lindstrom Principal at Spire Security, an industry analyst firm. As the network equipment vendors added security tools to their product lines, they found ready-made customers, like the University of Kentucky.
Using integrated tools can also simplify the process of troubleshooting a complicated network. “Networks are becoming more complex, so businesses need solutions that mask the underlying complexity,” stated Kevin Beaver, principal information security consultant at Principle Logic, LLC, a consulting firm. As businesses extend their networks to more locations and support more devices, it has become difficult for support personnel to bounce among a number of different applications to pinpoint problems. In many cases, networking vendors have consolidated that information and can present support staff with the root cause analysis for any network or security problem.
By opting for one vendor, support requirements in this troubleshooting process diminish. IT teams only need to call one vendor to solve problems when they arise; they avoid the finger-pointing that sometimes occurs in multi-vendor environments.
“Customers develop a level of comfort when they work with a supplier for a long time,” noted Principle Logic’s Beaver. For instance, Cisco has built up a formidable presence in the enterprise, developed a robust channel to support its solutions, and has trained numerous network engineers. As a result, enterprises feel comfortable using its equipment and have little trouble finding individuals to operate its solutions.
Finally, going with one vendor for integrated technology can also be less expensive than choosing a best-of-breed option. When WAN network equipment and security solutions are bundled, suppliers often offer enterprises a discount.
That’s a crucial factor since IT teams have so much trouble convincing C-level execs to fund security solutions. In many instances, management is reluctant to fork over the dough needed for security solutions because their payback is not always clear. “IT departments can wrap a few thousand dollars for security products into a multi-million dollar network equipment purchase,” explained Spire Security’s Lindstrom.
The downside of choosing a network hardware vendor For WAN security
Network hardware vendors might seem like the simpler choice for WAN security, but there are drawbacks. Most notable, security is not their bailiwick, so their products may not be as robust as those from specialists, such as CheckPoint, Fortinet, Palo Alto Networks and Sourcefire.
More on securing the WAN
A tutorial on WAN security and performance
Finding the balance between WAN security and performance
WAN application security in a world of mobility
These third-party companies understand that the hardened perimeters enterprises have built are becoming weaker. Rather than attacking companies at the network level, hackers have now focused on application level attacks, such as exploiting flaws in programming languages and inserting bogus code into corporate applications and databases.
“Typically, the networking vendors offer generic security solutions rather than bleeding edge technology,” stated Principle Logic’s Beaver. If a business needs to solve a specific, uncommon security challenge, the security specialists usually emerge as the better option.
What’s more, the network vendors can be slow to respond to new market drivers while start-ups are more flexible. For example two years ago, Cisco outlined its new SecureX, architecture, which is designed to help companies establish granular corporate security policies. Rather than focusing on network connections, SecureX examines content traveling over a network and uses that information to enforce corporate security policies. But users viewed the project as overly complicated, and it remains largely a work-in-progress.
Networking vendors have had a checkered past in being successful in overcoming these bumps in the road. Several years ago, Cisco developed its own distributed denial of service (DDoS) security solution, the Anomaly Guard and Anomaly Detector Modules. However, the company phased out the products at the end of 2010 and recently began embedding Arbor Networks’ DDoS technology directly into Cisco routers instead.
The upside of choosing a third-party WAN security vendor
Temple University, which has more than 35,000 students enrolled in 17 colleges on nine campuses, had no choice but to work with a separate network security vendor since its wired and wireless network provider Avaya Inc. never entered the security market. So the university went to CheckPoint for its firewalls.
“We like having software based security solutions rather than hardware based systems,” said Seth Shestack, Associate Director of Information Security at Temple University.
When customers choose a best-of-breed provider, they can avoid getting locked into a one-vendor environment in their overall network technology. For example, many of Cisco’s solutions work only with its own devices, so companies can find it difficult to integrate new network technologies as they emerge.
What’s more, with equipment from third-party vendors, customers can integrate security into a greater network management strategy. For instance Riverbed and MacAfee recently teamed up, allowing enterprises to buy a one-box solution that includes the McAfee Firewall running on a Riverbed Steelhead WAN optimization appliance. This kind of approach can improve both the WAN optimization and firewall functions by sharing information between the two.
Watch out WAN security vendors: Enter SDN
Sofware-defined networking may further weaken the networking vendors’ hold on the WAN security market. SDN shifts the of focus maximizing performance and securing underlying hardware to creating software-driven, programmable networks that enable a whole new kind of security strategy.
With SDN, network security can become almost completely driven by virtual appliances and it can be granularly programmed. In some cases, engineers will use SDN controllers to direct specific applications or traffic flows to certain firewalls, offering varying levels of security depending on the application or traffic.
SDN is still in the very early stages. The University of Kentucky, for example, plans to deploy an SDN supporting only a few hundred users in the next three months to begin with, according to Friskney.
But the SDN movement will pick up and it will present significant challenges to traditional vendors. To date, these vendors’ value has largely come from their ability to maximize the hardware that enterprises rely on to move information from place to place with security features. With this new approach, software becomes more important and hardware could eventually become commoditized. In that case, enterprises could lose even further ground in the battle for the WAN security customer.
Paul Korzeniowski is a freelance writer who specializes in data center issues.
- An Introduction to Threat Hunting with Bro Zeek –CoreLight
- Network-Powered BYOD - A Case Study in Simplicity –SearchSecurity.com
- A Computer Weekly buyer's guide to perimeterless network security –ComputerWeekly.com
- How to make the business case for de-perimeterisation –ComputerWeekly.com