View all SearchSMB Buying Decisions Guides here.
Small and medium-sized businesses (SMBs) have devoted a growing portion of their IT budgets to security during the last couple of years. A recent survey by Stamford, Conn.-based Gartner Inc. found that firms with one to 99 employees allocated 5% of hardware expenditures to security in 2004 and 7% in 2005. For companies with 100 to 999 employees, security expenditures rose from 6% to 7% during that period.
When it comes to protecting corporate data from outside attacks and unauthorized access, firewalls are a critical first line of defense for companies of any size. The good news for SMBs is that leading security appliance vendors have started targeting the needs of companies with limited in-house IT resources and budgets.
 |
|
|
|
|
Patches and firewalls are the equivalent of a guard sitting in front of the bank vault. Intrusion prevention systems follow the robbers around.
Greg Young
research vice president, Gartner
|
|
|
|
|
|
|
|
|
|
A basic definition
Firewalls consist of a hardware-software appliance that sits at the edge of the corporate network, scannning incoming transmissions and filtering out unwanted packets according to pre-set rules. For example, it might be programmed to screen requests, making sure they come from an acceptable domain name.
Market trends
The past year has seen the rise of two types of security offerings that target SMBs with limited in-house IT staffs and budgets. One is the all-in-one appliance, which combines firewall protection with other key security features, such as antivirus software, virtual private networks (VPN), URL blocking and content filtering.
"The all-in-one security appliance provides excellent total cost of ownership, rack-space savings and ease of use with a single local interface" when compared with multiple-point solutions that reside on separate boxes. It must be purchased and managed separately, according to the Gartner research report "Network Security Platforms Evolving into Single-Appliance Solutions," which was published in August.
Secondly, Managed security services target SMBs and sites that cannot justify the capital and administrative costs of in-house security systems. Most of the major carriers now offer firewall services that automatically check a customer's incoming packets and filter out "bad traffic." SBC, Qwest Communications International Inc. and Verizon Communications Inc. are among the service providers that also offer internal protection: An appliance residing on the customer's LAN checks for suspicious behavior patterns and can detect, contain and neutralize viruses and worms that threaten corporate servers, desktop devices and other endpoints.
Tips and gotchas
Look for a product that provides a single management view and some degree of correlation across different security functions. For example, administrators should be able to view and correlate log data generated by firewalls and intrusion detection systems.
Appliances should be reasonably easy to set up and configure initially, as well as when new security rules and policies are deployed. Just because a device is low-end doesn't mean it is simple to use or configure.
Minimize administrative overhead by keeping the security rules simple, particularly if you're going to need to change them frequently. "Firewalls are as static as your organization," noted Greg Young, a research vice president at Gartner. They need to be reconfigured, for example, to block a new type of protocol; to reflect a merge, an acquisition or a reorganization; or to guard a new port or Web service.
Expert view: Greg Young, a research vice president at Gartner:
"Firewalls are critical to security, but companies need to look beyond them to internal defenses that guard against internal employees and other authorized users.
"A fairly recent and growing security threat that firewalls don't adequately address is mobile employees. They can dial in from outside on their laptops through a VPN link, and as a result, malware can get into the internal network."
"An important second line of defense is intrusion prevention systems [IPS] that monitor internal data streams over the LAN for suspicious behavior. Because they reside in-line, they can not only report the presence of a worm, but also block it as well."
"Also be aware of the vulnerabilities posed by client systems that are out of your control, such as those belonging to partners. Older, legacy clients may not support the latest patches.
"Use a combination of defenses. Patches and firewalls are the equivalent of a guard sitting in front of the bank vault. Intrusion prevention systems follow the robbers around."
Pricing
Firewalls generally include a VPN gateway. Prices in the SMB market range from about $80 for a basic box to several thousand dollars. Buyers usually end up paying extra for higher security processing throughput, additional security features such as antivirus software and IPS, and management/configuration software.
For example, the Netgear FVS 114 Prosafe VPN Firewall 8, which costs about $120 to $140 retail, includes four 10/100M bit/sec. ports, stateful packet inspection, intrusion detection, up to eight simultaneous VPN connections and 253 users.
The eSoft InstaGate 305, which costs approximately $1,800, includes deep packet inspection, IPSec VPN, antivirus, network intrusion prevention, URL white/blacklist filtering and antispyware, and a 100M bit/sec. WAN port. A Smart Wizard and Install Assistant are said to cut down installation to minutes.
Product sampler
Firewall appliances generally include a VPN gateway. Many offer additional optional security features such as antivirus software and IPS. The following is a sampling of products that target SMBs:
WatchGuard Firebox X 2500
Netgear Prosafe VPN Firewalls
eSoft: Instagate family
Sonicwall: Pro Series
Cyberguard: SG and Classic Family
Cisco: ASA 5500 series
Symantec: Gateway Security 300 Series
Fortinet Fortigate A Series
Managed security services are offered by many SPs, including Verizon, Qwest, SBC, Bell South, MCI and AT&T.
Resources
WhatIs.com
SearchSecurity.com
Compinfo Center
Treachery Unlimited
Information Security Forum
Elisabeth Horwitt is a freelance writer based in Waban, Mass.
