All-In-One Gateways

Keep several parameters in mind as you begin your deliberations. For example, how many users will the network support? And how many will be on the network simultaneously? These numbers can have an impact on the licensing for certain features and will be the key to determining whether a particular appliance will have satisfactory performance for deployment.

Will the gateway be deployed at a branch office that will connect back to a central network, or will it be protecting the main enterprise network at its point of entry? The answer will help you decide which features are required on the device or which will be handled by other appliances. It will also help you choose a management interface that's appropriate for the device.

What is the size and nature of the network? Although all-in-one gateways are gaining in performance and capabilities, they've been largely limited to networks in the small and midsize business market, where their performance is sufficient for the number of users and their management simplicity makes them attractive to a security administrator who is likely to be a network generalist rather than a security specialist. The nature of the user base is critical because it will help answer questions like how many VPN tunnels are required--a number that will be proportionately higher for a company with a mobile sales force than one with an internal sales group.

Bandwidth Isn't Everything

Intrusion detection and prevention, as well as protection against viruses and spyware, require deep-packet inspection that can put a strain on your gateway. So if you need such functionality, look carefully at the performance ratings of candidate products. Be sure to ask the vendors how many simultaneous connections their devices will support. It's easy to be swept up in bandwidth numbers, but the connections number is especially important when it comes to IDSs and IPSs, which need to look at traffic flowing in both directions.

If the gateway includes intrusion detection or prevention, it may be an inline device rather than an appliance that connects to the network in a one-armed configuration. If the device can be deployed inline, make sure redundant power supplies, network interfaces and other critical components are available so your network can continue to operate even if the appliance goes down.

The Complexity Factor

How complex must your landscape be? If your network complexity is low, you'll be able to get by with a relatively simple set of firewall rules. But if you have multiple Web-fronted applications, static routes for enterprise branch-office connections and several public Web servers, you'll have a much larger set of firewall rules, which places a greater load on the firewall's CPU. Object-based management can reduce the number of rules, but it hasn't been universally implemented, so check for it as you compare systems.

The same issues come to the fore when antispam, antivirus, antispyware and other malware protections are part of the all-in-one menu. Although these are increasingly seen as part of the normal workload of a security appliance, they don't come without a processing cost, especially where a single CPU is handling all the processing tasks. This trade-off can severely limit the number of users who can simultaneously access the network without experiencing noticeable delays.

There is another feature that can have major performance implications: VPNs. While these secure, encrypted tunnels have become critical pieces of the total security plan for many organizations, they can require serious processing resources to service. If the VPN capability will be used to securely connect a branch-office gateway back to the central corporate network, with a single pair (or small number) of tunnels, there's no real cause for concern. But if the gateway will be used to terminate tunnels for a mobile workforce, with a simultaneous tunnel total that could reach into double or even triple digits, ask pointed questions about how the VPN processing is accomplished. Look at the total number of simultaneous VPN tunnels the gateway is rated to support. If it supports the same number of SSL tunnels as IPsec tunnels, beware: SSL tunnels have a much heavier processing overhead.

As features are added to the package in some units, it's reasonable to ask whether they're supported by their own circuitry or serviced by a single CPU that provides all functions for the device. If it's the latter, make sure the performance promised is adequate for your network.

Plays Well With Other Networks

When looking at how well an all-in-one gateway can interact with other networks, examine gateway management (see "Let's Talk Management") and security rules. But don't overlook user-identity management, either.

Authenticating users into the network and authorizing them to reach specific network assets can be handled at many levels in the network infrastructure. Several architectures have the gateway act as the agent that queries users as they try to join the network, then pass the user information on to a central authentication database. Look at the appliance's ability to integrate its authentication with Microsoft Active Directory, a RADIUS server, an LDAP server, or the specific directory or identity server your organization has deployed. However, go beyond the simple facility to integrate authentication services: Ask for white papers or tech notes that describe the integration process. There can be vast differences in the ease with which authentication processes are integrated.

Logging and reporting are critical, especially if the gateway includes IDS features. A busy network's IDS log can easily hit multiple gigabytes each day, so be sure you have backup procedures to safeguard the logs, or a location to which the logs can be saved, so they can be used in forensic work or to help analyze exploits after they've occurred. In addition, look at the logging and reporting functions to measure their ability to comply with your company's regulatory requirements. HIPAA, GLBA, SOX and other legal provisions impose regimens of record-keeping and audit capabilities that can be quite rigorous. If your organization falls under one or more of these regulations, be sure the gateway supports, rather than hinders, the openness and accountability required.

An all-in-one gateway can be a security and access workhorse. Taking the time to match the capabilities of the gateway with the needs of your organization will go a long way toward ensuring a successful deployment.

Curtis Franklin, Jr. is a senior technology editor at Network Computing. He has been writing about the computer and network industries since 1985. Write to him at [email protected].

An appliance that contains as much functionality as an all-in-one gateway must be easily managed if it is to be of any use to your organization. As a security device, the gateway will be most securely managed by an out-of-band interface that keeps management separate from the public-address space used by the production network. If a separate management interface isn't available, you'll want to see, at the very least, SSL authentication into the appliance for any IP-based access. Most professionals insist on a serial console interface as well, for two reasons: The serial interface tends to be quite secure compared with the company's public network space; and in the event that something goes wrong with the device, the serial interface can be a more reliable route into the box than the network interface.

If the all-in-one gateway will be deployed in a branch office, the ability to be remotely managed will be critical. Look for both SSL authentication on the management interface and integration capabilities with management frameworks such as Hewlett-Packard's OpenView, IBM's Tivoli and Computer Associates' Unicenter. As the network infrastructure vendor community begins to embrace the idea of policy enforcement that scans incoming devices for security compliance and allows or denies access based on actions by network infrastructure devices, gateways will need to be compliant with protocols such as Cisco Systems' NAC and Microsoft's NAP if they're to remain useful within an enterprise context--so ask about the vendor's plans for these protocols. When judging the gateway's long-term deployment possibilities, look for compliance with the protocols, or ask the vendor about the upgrade procedure required to make the device compliant.