Network Security Appliances for Mission Critical Applications
By David Eoff, PRODUCT MARKETING ENTERPRISE SOLUTIONS - NOKIA

Nokia security appliances are often compared to an implementation of generic servers such as Dell or HP running Check Point's Secure Platform OS, which in-turn employ off-the-shelf hardware assembled to support firewall software. While in principle the idea of using off-the-shelf hardware may seem attractive, it does not make a compelling argument for this type of application and proves for mission-critical applications, specialized hardware is the practical choice.

At first inspection, the two products appear similar as they both employ Check Point software on another vendor's hardware. Despite the surface-level similarities though, Nokia appliances and generic servers running Secure Platform are not equal. Compelling benefits are only guaranteed by solutions that incorporate sustainable reliability. Those essential requirements are comprised of an appliance architecture that combine best-of-breed software, OS and networking services with specific, purpose built hardware. It must also include a comprehensive quality assurance and technical support program that only a rigorously controlled configuration can provide.

The Network Security Appliance's (NSA) popularity has risen dramatically since they were introduced in the mid 90's. Appliance-based solutions are essentially plug-and-play, whereas up to that point, the approach for solutions to security problems was to piece together hardware, OS, drivers, and application-specific software. NSAs introduced a significantly more efficient model. Overcoming the existing problems, NSAs are based on the concept of one integrated product to manage and upgrade, usually from one trusted vendor. Such an approach allowed for an optimized product with robust security, and improved performance.

In order to create a well integrated NSA, Nokia analyzed customer requirements, current technologies and specified the following requirements for every Nokia NSA:

Ease of use: One stop purchasing ensures all components are available from a single source. This improves procurement, maintenance, and support of devices critical to IT resources. Plug-and-play design means all components are optimized and tested to ensure proper and reliable operation. Unified and simple initial configuration such as templates, wizards, and setup mechanisms assist administrators in quick and simple setup. Optimized configurations use a purpose-built OS which ensures performance does not suffer at the expense of security. Consolidated management means all aspects are managed from a single, integrated application. Firmware, software, and content updates are installed from trusted single sources, often automatically.

Security: Best-of-breed protection incorporates security functions which have achieved industry certifications and a proven track record. Check Point's software is known for its capabilities and stability. Best-of-breed operating systems such as Nokia IPSO™ are integrated with Check Point applications to optimize network security. Nokia IPSO™ is unique in operation and optimized for the NSA providing the strongest fit between the OS and the host hardware.

Performance and availability: Throughput is critical - the system is designed and built to ensure specific program ratings. The underlying hardware design is selected to support the NSA's processing power, memory requirements, and I/O capabilities to enable line-rate execution of the security application under all loads.

Security is a function that should always be available. Lack of security can have severe consequences, ranging from revenue loss to catastrophic shut down. By design, Nokia appliances support native failover and clustering, and optional redundant or hot-swappable components - power supplies, fans, etc. It is also important to have optional out-of-band management interfaces and dedicated/reserve processing power to ensure management under heavy load or attack scenarios.

Generic NSAs running Check Point's Secure Platform use AMD or Intel-based hardware, are supported by a limited number of vendors, and are an alternative to dedicated solutions like Nokia. While these devices may be "light" in some of the aforementioned qualities, they do offer some desirable NSA features: dynamic routing (optionally), HA clusters, multicast protocol support, Web or CLI and RADIUS compatibility. According to the market and relevant vendor websites, a server running Secure Platform is essentially a specialized PC for Firewall or VPN. Its primary desirable feature is low initial cost of entry for a given performance segment.

However unlike a PC, upgrades or parts replacement is not as straight-forward as for PC-based servers. Because of the specialized nature of an NSA's function, compatibilities and vulnerabilities may be easily introduced unless the hardware undergoes intensive, thorough testing with the Secure Platform OEM. Therefore the strongest benefit of an NSA that of using off-the-shelf hardware is severely lessened as delays similar to purpose-built devices can take place.

There are additional considerations that have an impact on a device's applicability in the enterprise. Chief among these is support. Nokia's reputation for innovation is only bested by its support and infrastructure. This experience translates into servicing customers with superior quality and proven processes. Unlike Nokia, those server vendors do not deliver a single point of support model. Secure Platform software does not offer support for Intel/AMD hardware OEMs. And OEMs, do not offer support for Secure Platform. The resulting gap lengthens the time-to-resolution for customers.

Nokia support includes associated Check Point software, while Secure Platform offers optional extras - performance acceleration and ClusterXL impact EBS support and recurring subscription fees. The cumulative effect is significantly higher costs, up-front and for the life of the product. And Nokia appliances are always subjected to exhaustive quality assurance which produces results that help protect customers' investments and offer a quality experience.

Nokia is clearly a frontrunner in NSA especially compared to generic servers running Secure Platform. Nokia offers a combination of sound engineering and support that addresses both immediate and long-term requirements, while maintaining a competitive price point. Nokia NSAs are designed to offer a wealth of features that are simply not possible or at best, available without a substantial additional cost in generic NSAs. And while new offers in NSA may appear attractive at first glance, the experience and backing that Nokia brings to its product lines and customers is not easily replicated by generic hardware offerings.