As enterprises struggle to balance wide area network (WAN) security at branch offices with campaigns to consolidate infrastructure into central data centers, many vendors are offering network security products and services on their branch office appliances.
Many WAN managers have been backhauling Internet traffic across the WAN from dozens or hundreds of branches to data center firewalls in order to ensure WAN security, but as enterprises embrace more Web-based business applications, complications arise -- Salesforce.com competes with Facebook for bandwidth to the data center.
WAN managers could simplify things by giving branch offices direct Internet access, but this would require installing security appliances in each site, defeating the purpose of infrastructure consolidation.
"Direct Internet access from the branch -- typically for a hosted application -- drives the need for security in the branch office," said Joe Skorupa, research vice president at Gartner Inc. "But as you're making these changes to your network, you're centralizing servers and changing the architecture in a pretty fundamental way. It's an appropriate time to … take a service view of the world rather than a box view of the world."
Merging WAN security and optimization appliances: One fewer box
Even for enterprises with a less philosophical approach to WAN security and optimization, consolidating the two into a WAN optimization controller "can make the world simpler" for some enterprises looking to downsize their gear, Skorupa said.
The idea of integrating security software into WAN optimization appeals to Travis Stroebele, senior infrastructure engineer at YORK Label, a label manufacturer based in Omaha, Neb., which uses Riverbed Technology's Steelhead appliances in its 12 branch offices. Riverbed has enabled its Steelhead appliances to run services like WAN security as virtual machines (VMs) on its Riverbed Services Platform (RSP).
Already seeing success with other virtualization projects in the data center, Stroebele said he is "looking for innovative ways to roll out virtualization to the branch locations."
"The more you can do with one device, I think, the better," he said. "You don't have to buy separate appliances or servers to handle certain [functions]. It's definitely a good thing, but I haven't had the chance to experiment with [RSP] yet."
As its most recent addition to the RSP lineup, Riverbed announced this week that it has qualified a virtual version of McAfee's Firewall Enterprise to run on Steelhead appliances. The VM will be sold through McAfee and is slated to become available later this month. The product follows other virtual WAN security offerings for RSP from Check Point and Websense.
"This expands out of just simple file sharing to all the things customers are trying to address," said Nik Rouda, director of product marketing at Riverbed. "Every server you can take out of a branch reduces cost and complexity."
But not everyone is so quick to embrace consolidation of WAN security onto WAN optimization appliances.
"For us, it would not be a consideration, and I would prefer to purchase a device which actually did not 'bundle' this functionality," said Michael J. Parella, vice president and IT services manager at Managers Investment Group, an investment firm headquartered in Conshohocken, Pa. "We currently enforce security policies both at the gateway to our network and at the desktop. We've had a lot of success doing this and … an additional security layer between offices across the WAN seems unnecessary."
While evaluating WAN optimization technology, Parella found that Cisco executed the integration of WAN optimization and WAN security well on its integrated services routers (ISRs). But he remains "very skeptical when vendors begin to layer different levels of functionality into devices" and prefers targeted solutions.
WAN security-optimization appliances not all created equal
WAN optimization appliances with native WAN security features have been around for years. Blue Coat Systems led the pack in 2006 by integrating application acceleration into its security-focused ProxySG appliances. The following year, Cisco Systems released new ISR models, replete with WAN optimization software.
Virtualized WAN security products that are partitioned from their host WAN optimization appliance are not truly integrated and are thus less effective, according to Jeff Barker, vice president of solutions and technical marketing at Blue Coat.
"If you're putting some of the functions as separate VMs on a separate platform, really all you've done … is you've eliminated a piece of server hardware," Barker said. "That may work for certain types of functions. I refer to those as 'configure and forget' functions, like print services, DNS and DHCP."
But more critical business applications at the branch require that WAN security and optimization be more tightly coupled, he said.
"We're getting to the point in the industry where the Web -- HTTP and HTTPS -- has evolved to be the common transport for business applications, for recreational content and also malicious content in the form of malware and spyware," Barker said.
He added that WAN optimization appliances partitioned from their WAN security VMs can't differentiate among various types of SSL-encrypted traffic and thus cannot optimize it.
Meanwhile, management can also be a problem for enterprises with a large number of branches. Pushing security and policy to the very edge of the WAN may also leave gaps when users travel or work in different locations that have different policies, Skorupa said.
"There is the administrative challenge when you've got 300 branches and you need to have similar but not necessarily the same policy in every branch," he said. "Can you configure these devices 300 times? You'll never get [a consistent] result."
Let us know what you think about the story; email: Jessica Scarpati, News Writer
Dig deeper on Internet and application security