All-in-One Security Appliances Concentrate Vulnerabilities into One Box
by Eirik Iverson, Product Management
The more complicated something is, the more likely mistakes were made in its making. Mistakes facilitate security breaches. All-in-one security appliances consist of millions and millions of lines of software code. They are extremely complex. A software mistake in just one of the applications (anti-virus, router, firewall, anti-spam, URL filtering, network intrusion prevention, VPN, etc.) or functions of an all-in-one security appliance can compromise all of the other applications. There are examples in the NIST National Vulnerability Database of vulnerabilities in one application that would compromise the others.
Ideally, organizations would use single application appliances to isolate one security service from any failure in another security service. But, there are compelling economics behind all-in-one machines that have actually integrated the applications for simplified management and reduced up-front costs. Consequently, we have seen a strong trend away from many best of breed devices to a single all-in-one device.
All-in-one appliances do require more frequent security patches, however. These must be implemented quickly because all services on the device may be at risk of compromise. Fortunately, an all-in-one device reduces the patching scope from many devices to one device, figuratively speaking.
What we have not seen in the industry is recognition of the increased risks: one vendor programming mistake in an all-in-one appliance can bring all security services down. And secondly, with all-in-one devices, one may overlook what may be a single-device perspective in the system management options. Remember, availability, bandwidth, geography, and end-user population size tend to require two or more all-in-one devices be deployed. So, if there are five or more devices overall required, be sure to assess the ease of administration of five or more such devices before selecting a vendor.
When there are hundreds of remote access VPN end-users, one should consider implementing it on a separate device in front of the all-in-one device to improve scalability and security. Remember, remote access VPN computational loads are not just a function of aggregate bandwidth but also of the number of user-sessions.
January 10th, 2010 at 11:07 am
I have anticirus firewall for my laptop pc. Do I need one for linux as well?
January 11th, 2010 at 8:22 am
Theoretically yes, but practically speaking, so little malware targets Linux one merely needs to be careful about installing software from legit sources and social engineering attacks. Plus, there are configuration settings that would effectively snuff-out drive-by download attacks, even if your host was hit by a Linux targeting attack. I’d check around for some legit app that facilitates those settings for you, otherwise, identifying and implementing such settings may be beyond your skill-set and cost-of-time, whatever that is.