astronomer |
There is a lot of marketing hype for all in one solutions now. This is very good for the vendor. It locks you into using them for everything.
Now, let’s look at it from the users perspective. If your team has no/limited knowledge then a single contact point has a lot to recommend it. You won’t get fingers pointing at the other vendors as the problem. They can walk you thru a complete solution.
The disadvantages involve having all of your eggs in one basket. If they can’t address a security problem, (like we just had with our spam appliance), you are stuck. A related issue is, how good is each part of the all in one solution? Remember you won’t have the option of choosing each part separately based on individual merits.
If your team can handle variety you can buy some significant extra security with multiple vendors and the corresponding multiple systems. We currently use two firewalls with a pix on the inside and openBSD on the outside. When we install email relay servers in the DMZ between these systems we will be able to address the vulnerability of our mcafee box.
The other big issue I see with single solutions is when that single box is compromised or bypassed, the cracker is all the way into your net. If you had our architecture but with a pix on the inside and outside then a cracker who figured out how to get thru the outer pix could use the same techniques to get thru the inner one. In our current environment, if someone cracked the BSD, he would discover the pix required a very different approach.
I see single box solutions as a poor choice for all but very small organizations. I am sure the vendors will differ.
rt
sonyfreek |
If you’re someone who thinks the TV/VHS/DVD All-In-Ones or the All-In-One Scanner/FAX/Copier/Printer are a good idea, you’ll probably also like the Consolidation of all of your security into one box. I’ve always hated the idea, knowing that they’ve just packaged one good product with a bunch of mediocre or low end products. A firewall should be a firewall, an IDS an IDS, etc. Now, together they make a much stronger solution because you can establish defense-in-depth and a failure of one component doesn’t compromise the whole security posture.
SF
EngineerIT |
What I have learn’t from my little experience:
* Never rely on single vendor
* Never rely on single technology
* Never rely on single system/device
It is always a good practice of having mix and match vendors, technologies and devices.
One vendor may be good at one technology but at the same time other may be better for another technology and system.
Our approacah and policy is to select the technologies ans systems from different vendors and after evaluation select the best one.
Cisco ASA is no doubt good product as long as you have an expert to properly configure and make best out of it.
Fortinet too having good name. Although I have not used and do not know many people using it.
solutions1 |
The architect’s dictum that “form follows function” pertains. If you have a security architecture shaped to address security and overall business objectives, then the “fit” of a particular appliance will flow from that architecture. For some media companies, the number one security objective is to restrict internal information flows internally to wall off one client’s proprietary information from another’s), while for others it is to secure the supply chain (e.g., from creation to print & distribution). An “appliance” widget may or may not adapt to your particular priorities.
poppaman2 |
To follow/expand what solutions1 said (and to agree with some earlier posters), I too feel that the single appliance approach presents a single point of failure in your network: breach the device and it’s “game over, man”.
For a small(er) organization which needs security but has neither the manpower nor the finances to implement and maintain multiple devices (IDS, IPS, Firewall, Antivirus, Antispam, etc…), they can represent a suitable alternative.
As Solutions1 seemed to imply, they may also be useful in conjunction with a multi-vendor, multi-device network defense strategy INTERNALLY to separate departments or workgroups so information cannot flow between areas. This would also add top a “defense in depth” strategy, as a security breach of one area would not necessarily imply total network compromise if these appliances are used to segregate functional or divisional areas…
networksecure1 |
Thanks everyone for their insights and valuable input/suggestions.
Reagrds
TomLiotta |
I suggest you do something like going to securityfocus.com and run a search on the PenTest forum for “all-in-one”. There are numerous threads there that debate the question and all sides are presented. The thread that comes up from the search is a decent one.
In general, an all-in-one often puts limits on best-of-breed for each function while simplifying management and consolidating contact to a single vendor. The balance is your choice.
Arguments that are no longer relevant include single-point-of-failure which is addressed by redundancy and failover for example.
The entire list of all aspects is long. In the end, nobody from outside can know enough about your environment to give anything but the list of arguments and the PenTest forum is a good list.
barbis |
The smartest companies I know diversify their security technologies. A smart company will not choose all in one solutions. They are more complex and therefore more prone to failure. Would you like your firewall to stop working entirely when your IDS component hiccups? I really don’t care what their marketing hype says. Distributing your security protections across a number of proven solutions–and not relying on one company for all your security perimeter needs, is the smartest choice.
DanaMcCurley |
Since the consolidation topic is hot in this thread, I wanted to point you to SearchDataCenter.com’s Info Center on the subject.
<a href="http://searchdatacenter.techtarget.com/infoCenter/0,,sid80_iid2653,00.html" rel="nofollow">http://searchdatacenter.techtarget.com/infoCenter/0,,sid80_iid2653,00.html</a>
Feel free to email Hannah Drake, Assitant Editor for SearchDataCenter.com, about your thoughts on the Info Center. Her email address is: <a href="mailto:hdrake@techtarget.com">hdrake@techtarget.com</a>
–Dana
——————————
Dana L. McCurley
Editor, ExpertAnswerCenter.com
Editor, ITKnowledge Exchange
<a href="mailto:dmccurley@techtarget.com">dmccurley@techtarget.com</a>
AIM: bunnylvr21
Work: 781/657-1496
Cell: 508/308-4897
TechTarget
117 Kendrick St.
Ste. 800
Needham, MA 02494
DataCenter, IT architecture, Security management, Information risk management, Security products, Networking, Hardware, Routers, Switches, Hubs, Cabling, Nortel, Security, Network security, Firewalls, VPN, Intrusion management, Incident response, Forensics, Wireless, Administration, Architecture/Design, Product evaluation, Desktop vs network-based firewalls, Cisco
Hi Punnet,
0
