When the Lee County Clerk of Courts in Florida began migrating to an electronic records-keeping system two years ago, its IT personnel realized deploying the records system wasn't the only challenge it faced. Just as critical was securing the information in that system against hackers, as well as complying with state laws mandating the security of official records, including court proceedings and decisions, case inquiries and property deeds.
Brian Bernard, the court's senior network administrator responsible for the security of the county's official documents, elected to deploy a unified threat management (UTM) system to keep the threats at bay. Now relying on a second generation of UTM, Fortinet's Fortigate-5050, Bernard says he was originally looking for ease of administration when he selected his first multipurpose product, a Linux-based software solution from Symantec.
Bernard, according to many analysts, is typical of security professionals who've turned to a UTM device rather than deploy separate products for firewall, anti-virus/anti-malware scanning, and intrusion detection and prevention.
"The threat-management security appliance market is being transformed by unified threat management appliances," says Charles Kolodgy, research director for secure content and threat management at research firm IDC.
The UTM market, growing at a 42 percent rate, is a $967 million niche, according to IDC. In fact, IDC predicts that UTM appliance sales will make up nearly 50 percent of the threat management marketplace over the next five years.
The UTM's advantages are clear when reviewing the economics from a number of perspectives, says Mike Rothman, a principal with research firm Security Incite. First, a traditional layered security approach, with separate devices for each function, requires having to buy 10 different products from 10 different vendors, with 10 maintenance contracts, he says.
"You're able to consolidate all of that into one umbrella [with a UTM], which is where people are at now, and it's compelling," he adds.
The same can be said for relying on one of the increasingly popular software packages that combine a variety of security monitoring and control functions into a single product, says William Bell, director of information security at EC Suite, a 400-employee provider of e-commerce-related (i.e., hosted catalog payment) services. Bell, who now relies on multiple products from two security vendors recently acquired by Lumension, says he's looking forward to the prospect of seeing them combined into a single package.
For him this will mean less administrative overhead, easier visibility of different types of attack, and better correlation of data. "All those kinds of things that make our job as security professionals easier," he adds.
For Lee County's Bernard the enterprise must avoid the risks of being hacked, especially since just about every sort of public record — including property deeds, notices of delinquent taxes and court proceedings — moving to a NetApp-based storage-area network (SAN) accessible to county employees via the internet. With about 50 percent of the system implemented, the move to a fully electronic record-keeping system gives the county's 2,000 geographically dispersed employees web-based access to information previously available only on paper at the courthouse.
The development of the system also forced Bernard to deploy what he calls "some form of intrusion protection." He originally protected the back-end SAN with Symantec's NetProwler, but became dissatisfied with it a year ago.
"The performance was suffocating," he recalls. With the intrusion-detection and protection features turned on, he considered the enterprise lucky if it got "six or seven megabits of throughput on a gigabit fiber line," he says. "It was horrible."
Assessing the field
His examination of the UTM marketplace a year ago pointed him in the direction of the Fortinet device. (He evaluated products from Crossbeam Systems, Juniper Systems and Cisco Systems, as well as individual point solutions from a variety of vendors.) There were two key reasons he chose to deploy redundant Fortigate-5050 devices in his data center in Fort Myers, as well as a Fortigate-1000 at a disaster-recovery site in Sarasota, several hundred miles away.
First was the device's performance. "We found that Fortinet had the best throughput, at 250-350 megabits per second, with all the functions [firewall, anti-spyware, anti-virus, intrusion detection and prevention] fired up," Bernard says.
Just as important was the box's ability to support two routing protocols, the Border Gateway Protocol (BGP) and Open Shortest Path First (OSPF), both of which allow routing network traffic over multiple connectivity links.
"Living in Florida with hurricanes, everything — data, power, connectivity — has to be redundant, redundant, redundant," Bernard says.
As noted, ease of administration, which results in lowered total cost of ownership (TCO), remains the number one reason Bernard deployed a UTM. Yet, relying on separate devices for each of the security functions supported by the UTM might well improve overall network performance, he admits.
"But what you gain in performance, you lose in administrative costs, and the costs of licenses and maintenance agreements. Those costs skyrocket."
Internal threats
"When you go back and look at the security breaches that have occurred, a good majority have been executed through computers in offices," EC Suite's Bell explains. "A staff member browsing the web downloads a trojan, the computer is taken over, and that attack is leveraged to move through the internal network to find sensitive data."
With sensitive client information on its internal systems, EC Suite can't afford to suffer a break-in. The company safeguards line-of-business systems through traditional ways, such as ingress and outgress filters, blocking not only what comes in, but what goes out of the network, Bell says.
"This is often forgotten by a lot of people, but once an attack is inside, it has free reign," he says.
To secure and manage the PCs used by the company's office personnel, Bell has for two years relied on products from PatchLink (PatchLink Update and the PatchLink Developers Kit) and SecureWave (Sanctuary device and application control software).
Getting simpler
Bell says he lucked out when Lumension acquired the two companies along with their products. He's looking forward to Lumension's promise to integrate the two acquired vendors' products into a single, cohesive package.
"Today, we have two clients and two consoles versus the one we will have."
Lumension has already combined the two product lines' reporting capabilities into a single console, according to Bell. "This allows us to look at the data from each client and we can see the gamut of Lumension products in a centrally visible console. This is invaluable for all kinds of data correlation, and we can see patterns when we have the data in one place."
Bell believes the integration of multiple security solutions into a single package can go only so far, however. "The moment we start sacrificing functionality for ease of administration, then we're not doing our due diligence.
"If you focus on just integration and delivering the lowest cost products, but the products aren't as effective as the competition, then you're doing your company a disservice," he says. "Some integration is good, and there's a definite cross-over point, an equilibrium where you maximize cost savings and effectiveness."