Consolidated Security Product/Approach? What about layered approach?

Incident response
Information risk management
Intrusion management
IT architecture
Network security
Product evaluation
Security management
Security products
Hi Punnet, I'm a It Director at lasrge Media firm in NY. Looking at the security overhaul in the recent months and business looking to cxonsolidate the offices enviornment the talk of the town is to have ALL IN One device which does Firewall,IDS,VPN etc. I thought layerd security approach was the way to go but it seems some security groups have different ideas about the implementation. What are your thoughts about the products like Cisco ASA and Fortinet device? Does Nortel has something comprable to Cisco ASA device? Thanks in advance for your response. Regds

Answer Wiki

Thanks. We'll let you know when a new response is added.

Watchguard seems to do a pretty good job.

Discuss This Question: 9  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Astronomer
    There is a lot of marketing hype for all in one solutions now. This is very good for the vendor. It locks you into using them for everything. Now, let's look at it from the users perspective. If your team has no/limited knowledge then a single contact point has a lot to recommend it. You won't get fingers pointing at the other vendors as the problem. They can walk you thru a complete solution. The disadvantages involve having all of your eggs in one basket. If they can't address a security problem, (like we just had with our spam appliance), you are stuck. A related issue is, how good is each part of the all in one solution? Remember you won't have the option of choosing each part separately based on individual merits. If your team can handle variety you can buy some significant extra security with multiple vendors and the corresponding multiple systems. We currently use two firewalls with a pix on the inside and openBSD on the outside. When we install email relay servers in the DMZ between these systems we will be able to address the vulnerability of our mcafee box. The other big issue I see with single solutions is when that single box is compromised or bypassed, the cracker is all the way into your net. If you had our architecture but with a pix on the inside and outside then a cracker who figured out how to get thru the outer pix could use the same techniques to get thru the inner one. In our current environment, if someone cracked the BSD, he would discover the pix required a very different approach. I see single box solutions as a poor choice for all but very small organizations. I am sure the vendors will differ. rt
    15 pointsBadges:
  • Sonyfreek
    If you're someone who thinks the TV/VHS/DVD All-In-Ones or the All-In-One Scanner/FAX/Copier/Printer are a good idea, you'll probably also like the Consolidation of all of your security into one box. I've always hated the idea, knowing that they've just packaged one good product with a bunch of mediocre or low end products. A firewall should be a firewall, an IDS an IDS, etc. Now, together they make a much stronger solution because you can establish defense-in-depth and a failure of one component doesn't compromise the whole security posture. SF
    0 pointsBadges:
  • EngineerIT
    What I have learn't from my little experience: * Never rely on single vendor * Never rely on single technology * Never rely on single system/device It is always a good practice of having mix and match vendors, technologies and devices. One vendor may be good at one technology but at the same time other may be better for another technology and system. Our approacah and policy is to select the technologies ans systems from different vendors and after evaluation select the best one. Cisco ASA is no doubt good product as long as you have an expert to properly configure and make best out of it. Fortinet too having good name. Although I have not used and do not know many people using it.
    0 pointsBadges:
  • Solutions1
    The architect's dictum that "form follows function" pertains. If you have a security architecture shaped to address security and overall business objectives, then the "fit" of a particular appliance will flow from that architecture. For some media companies, the number one security objective is to restrict internal information flows internally to wall off one client's proprietary information from another's), while for others it is to secure the supply chain (e.g., from creation to print & distribution). An "appliance" widget may or may not adapt to your particular priorities.
    0 pointsBadges:
  • Poppaman2
    To follow/expand what solutions1 said (and to agree with some earlier posters), I too feel that the single appliance approach presents a single point of failure in your network: breach the device and it's "game over, man". For a small(er) organization which needs security but has neither the manpower nor the finances to implement and maintain multiple devices (IDS, IPS, Firewall, Antivirus, Antispam, etc...), they can represent a suitable alternative. As Solutions1 seemed to imply, they may also be useful in conjunction with a multi-vendor, multi-device network defense strategy INTERNALLY to separate departments or workgroups so information cannot flow between areas. This would also add top a "defense in depth" strategy, as a security breach of one area would not necessarily imply total network compromise if these appliances are used to segregate functional or divisional areas...
    0 pointsBadges:
  • Networksecure1
    Thanks everyone for their insights and valuable input/suggestions. Reagrds
    0 pointsBadges:
  • TomLiotta
    I suggest you do something like going to and run a search on the PenTest forum for "all-in-one". There are numerous threads there that debate the question and all sides are presented. The thread that comes up from the search is a decent one. In general, an all-in-one often puts limits on best-of-breed for each function while simplifying management and consolidating contact to a single vendor. The balance is your choice. Arguments that are no longer relevant include single-point-of-failure which is addressed by redundancy and failover for example. The entire list of all aspects is long. In the end, nobody from outside can know enough about your environment to give anything but the list of arguments and the PenTest forum is a good list.
    125,585 pointsBadges:
  • Barbis
    The smartest companies I know diversify their security technologies. A smart company will not choose all in one solutions. They are more complex and therefore more prone to failure. Would you like your firewall to stop working entirely when your IDS component hiccups? I really don't care what their marketing hype says. Distributing your security protections across a number of proven solutions--and not relying on one company for all your security perimeter needs, is the smartest choice.
    0 pointsBadges:
  • DanaMcCurley
    Since the consolidation topic is hot in this thread, I wanted to point you to's Info Center on the subject.,,sid80_iid2653,00.html Feel free to email Hannah Drake, Assitant Editor for, about your thoughts on the Info Center. Her email address is: --Dana ------------------------------ Dana L. McCurley Editor, Editor, ITKnowledge Exchange AIM: bunnylvr21 Work: 781/657-1496 Cell: 508/308-4897 TechTarget 117 Kendrick St. Ste. 800 Needham, MA 02494
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: