The Two Sides Of Network-Security Devices

Today's IT security buyers have a wide variety of network-security products to choose from, which can be broken into two primary categories: network-integrated security and standalone security.

Network-integrated security products are routers and switches with integrated security capabilities (firewalls, intrusion detection, etc.). Standalone security products are purpose-built for security with no (or limited) networking functions; they are typically appliances, but can be software installed on a general- purpose server.

Infonetics Research's recent study, "User Plans for Security Products And Services, North America," investigated B2B usage plans for both types of products among business users of all sizes by comparing 2004 usage to 2006 usage expectations.

Secure routers and appliances are preferred by roughly the same percent of respondents for 2004 and 2006 (68 percent among small, midsize and large businesses). Switches with integrated security were used by only one-third in 2004, zer ease of implementation and are generally cheaper, but there is some skepticism of the extent to which each feature is best-of-breed.

When Infonetics asked users which features they would like in the appliances, firewall was the base technology, followed by virus-scanning and VPN, then spam filtering, intrusion detection and content filtering.

Infonetics also asked respondents for their aggregate system-performance requirement. Most respondents seek products that have 100-M to 1-G aggregate performance, with 1 G, 2 G, 5 G and up all increasing during the next two years.

Secure Routers

The popularity of secure routers caught many vendors by surprise, but Juniper's nearly $4 billion acquisition of NetScreen in 2004 put a laser focus on the market.

We asked users which features they would like integrated in routers in 2004 and 2006. In 2004, firewall was first (80 percent), and vulnerability assessment was last (39 percent).

Intrusion prevention and spam filtering demonstrate the biggest jumps from 2004 to 2006, with VPN an obvious choice. Gateway AV and application security are desirable, but both are processor-intensive, and secure routers have less security-processing horsepower than security appliances. A good strategy would be to integrate VPN, firewall and some level of intrusion prevention into the base product, and then offer hardware modules for additional security features.

VARs should target the 100-M and below space with secure router products, as the bulk of enterprise routers shipped are for T-1 and FT-1 connections, and are not yet being used to secure internal traffic.

Secure Switches

Secure switches have more specialized uses, so it's no surprise that they are the least deployed of the three types of network-security hardware. Most people use secure switches for internal security, data-center security or all-in-one functionality at small branch offices, so the buyer pool is smaller by definition.

Most leading switch vendors have toyed with security; Cisco and Nortel offer the most comprehensive solutions. Focused Ethernet switch vendors, such as Foundry and Extreme Networks, are less exposed to the security requirements of their enterprise customers because they primarily serve their switching needs. Many wireless LAN switch vendors built products that offer security for wireless LANs, and many of these will be repurposed for general security use.

VARs should look at two main classes of secure switch products: One is high-end devices for data center or backbone use, with high-performance and integrated firewall, intrusion prevention, application security, virus scanning, and even secure socket layer, deployed in a modular chassis. That way, users can select features, and scale performance as needed.

The second class is an all-in-one branch device--a switch with integrated VPN and firewall, and possibly router ports.

Secure switches should be designed so that each function can be assigned to a single Ethernet port, and add-in modules should have enough processing so that all ports can operate at wire speed once security is turned on. These products are costly, but the target-buying population is larger companies with strong security requirements.

The Strategy

The smartest strategy is to have a broad security product offering, encompassing standalone appliances and software, and network-integrated products, because users haven't made up their minds about which they prefer, yet security architectures will continue to evolve.

Jeff Wilson ([email protected]) is executive director of Infonetics Research.