Security: DIY or Plug’n’Play?

Assembly Instructions Appliance or not appliance? That is the question! A computer appliance is a dedicated hardware which runs software components to offer one of more specific services. Information security has always been and is, still today, a common place where to deploy appliances: firewalls, proxies, mail relays, authentication servers, log management, Wi-Fi controllers and much more! This post is just a reflexion about appliances and their alternatives. They are two groups of people: pro & cons. Those who love appliances for their robustness and ease of use and the others who are frustrated by their limitations.

Let’s check the components of  an “IT service”: It requires some hardware (chassis, CPU, memory and storage), some piece of softwares and “data” (input & output). The software layer is composed of three sub-layers: the operating system itself (to allow the applications to access the hardware – kernel / drivers / system calls), the applications themselves which manipulate the data and, last but not least, the management interface. To build this platform, we have three solutions today:

  • An appliance
  • A dedicated hardware + software components
  • A virtualized server + software components

The hardware is often a major appliances’ limitation. They are sized to process a specific amount of data “units” (packets, emails, requests) and are not expandable or, sometimes, in a limited scope via specific manufacturer’s modules. If you reached the appliance capacity, you have to deploy a second one in parallel and load-balance the data or, subscribe to an upgrade program proposed by the manufacturer. Take care, entry-level models may have a restricted set of feature which could be embarrassing (like no support of the SNMP protocol or lack of clustering features). If you choose to build your own hardware platform or to virtualize the service, you are free to size the hardware as you want with your preferred manufacturer. Even better, upgrades are not an issue!

Regarding the operating system, an appliance has a major advantage: “zero-administration cost”. The operating system is hidden and the administrators cannot interact with it. It has been hardened and secured. At the opposite, a self-made solution will require more time and experience to setup the operating system. The application itself (to process the data) will have a large but fixed set of features on an appliance. Missing features could not be implemented without the manufacturer which releases new version x times a year.

Regarding the management, appliances are usually managed via a browser. An operating system and application installed on a server (physical or virtualized) will require more controls. In case of an appliance, connect the power-supply, the network and start a configuration wizard. Sometimes, big organizations have dedicated teams for system maintenance and security. This could lead to issues if one team must maintain the “OS” layer and a second one the security applications. Keep this in mind! Good examples are log management system which cannot be accessed, for integrity reasons, by people outside the security team.

A major advantage of virtualized environment is the “out-of-the-box” high-availability. Modern server farms are replicated across multiple sites and storage is provided via redundant SANs. The virtual servers can be moved without downtime. Lot of appliances have clustering features but you have to buy at least two boxes. In case of an active-standby setup, the second box won’t be used and increases drastically the budget. Same for dedicated servers where extra steps are required to build clusters.

Some manufacturers propose a “virtual” version of their appliance. This is a good alternative solution: a fully integrated software package but without the hardware limitations and full redundant (which relies on the virtualized environment). But this has a major impact for manufacturers, customers have a full access to the software components. Sometimes, the manufacturers require a NDA before releasing the virtual version of their appliance.

To resume, here is a table which lists all the pro & cons of each solution:

Dedicated Hardware Appliance Virtualized Server
Hardware Completely open, lot of manufacturers, lot of
extensions, dedicated support. Risks of incompatibility with the software.
Spare parts or redundant hardware must be foreseen.
Dedicated hardware with limited extensions (only
from the manufacturer). Support included in the maintenance contract. Fully
compatible with the software. Note that the extension might be expensive. In
case of hardware failure, the manufacturers usually offer (read: against
$$$), a RMA contract for standard replacement of the faulty device.
Shared hardware but resources dedicated to the
application. Easily expandable and redundant.
Operating System Free to your choice. Must be compatible with the
harware. It must be hardened and properly managed (monitoring, backup,
patching). Some commercial operating systems may require a license. Skilled
people must maintain the system.
Included in the appliance and completely hidden from
the user/administrator. Support is include in the maintenance contract
Like the dedicated hardware, an operating system
must be installed and managed. The same advantages and issues remain.
Applications The right tools must be installed (compiled from
source code or binaries) and integrated within all the components. There is
no limitation in functionalities but integration and maintenance with other
components might be difficult. Like the operating system, applications must
be properly hardened and managed.
There is no choice. Only the proposed applications
are available with specific features. All components are easily integrated
and do not require maintenance, except the patches provided by the
manufacturer.
Like the dedicated hardware, applications are
installed and managed. Same advantages and issues.
Management Tools The right tools must be installed to manage the
operating system, applications and data. Those tools must be properly
configured and address all the security aspect of the CIA principle.
Usually web based, a browser is enough to configure
and maintain the appliance.
Same as the dedicated hardware.
Installation Setup the operating system, harden it, install the
softwares and integrate them, fine-tune, install the management tools.
Connect the power-supply, the network cable, run the
configuration wizard, done.
Create the virtual machine and follow the same
procedure as for the dedicated hardware solution.
Maintenance Operating system and applications maintenance must
be foreseen. Follow up of new threats, vulnerabilities. Skilled people must
be required.
Only a followup of the manufacturer is required to
install the released patches.
As for the dedicated hardware, the operating system
and applications must be kept up-to-date. But in this case, the
virtualization environment must also be kept up-to-date (the hypervisor).
High-Availability Multiple dedicated hardware instance must be
foreseen as well as synchronization, load-balancing features
High-availability is often provided out-of-the-box.
Multiple appliances must be deployed and linked together.
High-availability can be achieved via the
virtualized environment.
Features From a software point of view, the number of
features is illimited. You are free to develop your own if required. On the
other hand, this could have a huge impact on costs (development,
maintenance). In this case, “freedom” is the keyword.
The set of features is usually huge but limited to
the manufacturer’s choice. New features will be added if enough customers or
the business require it. Some fine-tuning might be difficult to implement due
to the restricted access to the core components.
Same as the dedicated hardware.
Security The operating system is a key point and must be
properly secured. The integration of application can lead to more
vulnerabilities.
Except configuration issues, the appliances is
hardened by the manufacturer.
An extra layer must be secured: the hypervisor.
Mixing virtualized servers of different security levels is not recommanded.
Compliance Self-built environment might not achieve all the
compliance requirements.
Usually, they support compliance requirements. Virtualized environment are not yet accepted by
compliance requirements. Or they may require more controls.

What’s the best solution? Do it yourself or use a plug’n’play solution? I can’t answer for you! Some people will be afraid to build their own platform (lack of time or knowledge), others enjoy their freedom. Anyway, the most important point to keep in mind: often, if you have to install a new service, the request comes from the business for the business (your users). Your choice must respect:

  • The allowed budget;
  • The required features;
  • The expandability (!);
  • The ease of management and reporting;
  • The compliance requirements.

Finally, a last remark: self-made servers or appliances will perform badly if not properly configured! Whatever the solution chosen, keep all the security aspects in mind.

2 comments

  1. Hello Christophe,

    Long time no see 😉

    Checkpoint SPLAT is indeed a good example. SPLAT is a software bundle (Linux hardened OS + Checkpoint softwares) can be installed on an “open” server (even if the compatibility list provided by Checkpoint is quite small) or is available on a dedicated hardware (the “UTM-1” boxes).

    Even if you have root access to the SPLAT operating system, it is clearly NOT recommended to install packages non supported by Checkpoint (can break your support) and fine tuning must be performed by people with enough knowledge.

    IMHO, this is clearly a risk: people with “Linux” knowledge will try to customize the SPLAT because “they know Linux” (real story).

    For me the best solution is the one which:
    – meets all the business requirements (not YOURS!)
    – makes you comfortable with their maintenance (use the tools you can handle)

    /x

  2. Interesting article, but what about the “software appliances”?
    These are install-packages containing everything starting from OS to the software itself. For example Check Point does this using their SPLAT.

    Some software-appliances (like SPLAT) even give you access to the OS using a shell. Of course you are ‘limited’ by the stripped/hardened OS, but you can still install extra packages and finetune other OS-related aspects on these devices. Of course you lose the ease-of-upgrade because with every new upgrade your custom changes are lost. However most of the upgrades are software upgrades that do not touch the hardened OS.

    Isn’t this model a good compromise between customisibility, hardware-flexibility and security/patching?

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.