Getting out of the Hardware Appliance Racket
I’ve always considered the “hardware appliance” business as some kind of racket akin to the old Military Industrial complex post World War II. They had fear and superstition in common, and most importantly, the racketeers were able to cash in big on the ignorance and superstitions of their customers.
You can see this in the “hardware appliance” market today with vendors like Cisco and Blue Coat, who charge unseemly premiums for low to moderate grade hardware and software bundles. They get away with this by sprinkling a generous portion of fairy dust over their products, which magically makes their hapless customers believe that their offerings are more secure, higher performance and more reliable than a Windows based solution.
It’s an amazing disconnect for us who have been using Windows based Firewalls, email systems, databases and other applications for years without any significant security, performance or reliability issues, or at least fewer than those documented by the “hardware appliance” vendors (this is in regards to security, where Windows based Firewalls have a better track record, security-wise, than most “hardware” implementations).
But I think there’s light at the end of tunnel. Today’s network admins are smarter than those who “grandfathered” in from the 1990s. Those old timers think in terms of “port opening and closing” and “Windows 95 isn’t secure”. Modern network admins realize that Windows is as secure as you make it and Windows based Firewalls, such as the ISA Firewall, can be as secure, and in most cases, more secure than so-called “hardware” firewalls.
Even more important, the “hardware firewall” hucksters are going to have to deal with changes in the market. One of the Old Chestnuts guys like Blue Coat like to throw at you is that “we have higher performance because we’re purpose built”. My ass. If I create a white box solution with a dual die, 4-way per die, making for an 8 way box, I’ll wipe out any fantasized performance advantages that the Blue Coat box might have, and I’ll be able to do it at about half the price and not pay PHAT margins to the sales guys who supply me with a load of bull about their relative performance, reliability and security when compared to Windows.
For another excellent perspective on the “hardware appliance” smoke and mirror show, check out Why appliances are dinosaurs at http://www.theconvergingnetwork.com/2006/11/why_ap...s.html
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Ray Says:
December 9th, 2006 at 8:12 pm
The thing that constantly amazes me is how supposedly competent people equate “hardware appliance” with “no maintenance required” or “I’m not responsible for it”.
To all of you: Unless the appliance is running on mechanical relays and vacuum tubes, software is somehow involved. Software with flaws written by people just like those who write software for “non-appliance” firewalls.
And you are still responsible for keeping its software (a.k.a. “firmware”) updated and administered properly. You will lose your job for having a “hardware appliance” getting compromised just as fast as for a non-appliance firewall. And maybe faster if you neglect your responsibilities.
Ray
Jeff Wiltshire Says:
December 12th, 2006 at 4:13 am
I occasionaly watch from afar and smile at Tom’s “one man crusade” regarding ISA and other firewall vendors and then move on without comment…..
However this time your arguement is so flawed that it begs to be commented on. Your choice of Hardware Appliance vendors are hardly representiative, Bluecoat don’t produce hardware firewalls (they are a proxy/AV appliance company) and Cisco are hardly on the leading edge of appliance technology. There are a large number of hardware firewall vendors making very good products which completely eclipse the capabilities of ISA 2006, I suggest you look long and hard and vendors like SonicWALL, NetASQ, Juniper, Fortienet, Nokia (with Checkpoint) etc etc. SonicWALL have Intrusion Prevention, Deep Packet Inspection, Gateway Anti-virus, Anti-Spyware built in to a sub $1000 box.
Just in case you get the wrong idea I have built a ISA 2004 system based on 2 4-way arrays to handle 125,000 users (over 40,000 concurrent users) so I’m not a complete idiot when it comes to ISA.
Thomas Shinder Says:
December 12th, 2006 at 5:24 am
So let me get this right — you can provision a sonicwall or Check Point Server for 125,000 users for under a $1000? AND include IPS, DPI (marketoid speak!), AV and AS?
I’d like to see that!
BTW — there are no flaws in the argument. Read the discussion again and you’ll find all assertions irrefutable. I’ve proven that already because you weren’t able to refute any of the assertions you called “flawed”.
HTH,
Tom
Jeff Wiltshire Says:
December 12th, 2006 at 6:54 am
I never said that you could provide a solution for 125,000 users for under $1000….re-read what I wrote.
Your arguement is flawed as the examples you use are not what you claim them to be and yet again you are being deliberatly disingenuous with your response. Regardless of how you would like it to be different ISA is not the greatest firewall on the planet.
Thomas Shinder Says:
December 12th, 2006 at 7:07 am
The discussion isn’t about the best firewall in the world, it’s about how customers get duped and taken advantage of because of the “hardware appliance” racket. Customer waste thousands of dollars on the “appliance” Ponzi scheme every year.
Jeff Wiltshire Says:
December 12th, 2006 at 7:26 am
I have no idea what a Ponzi scheme is….must be a US term.
Hardware firewalls can be purchased that will outperform ISA 2006 for less than the cost of the license fee for standard edition plus Windows 2003 license + server hardware. There is no racket as you would like to believe…..
Billy Bath Says:
December 24th, 2008 at 6:10 am
Jeff there is no argument that one can buy a UTM like device for $1K from Sonicwall or any of their one dozen competitors who built lots of features on a 300mhz type custom systems, this class of products from Sonicwall are built for SMB’s and not for SME’s or Large Enterprises. ISA/TMG (with the current licensing models) is built for SME and Large Enterprises. I would like to disclose that I work as a BDM at nAppliance Networks, Inc and we are one of Microsoft’s ISA and IAG OEM appliance partners. An entry level build-Your-Own ISA server will still have a price tag of $3K+, SMB market pretty much is sub-4K market.. So, Sonicwall is not a vendor which Tom has any problem with and he can never win an argument and I doubt if he really cares @ under $3K knowing the cost restrains.
Tom’s point seems to be directed at Tier-1 players catering to Large Enterprises, and at the lowest end to SME’s. You said “Just in case you get the wrong idea I have built a ISA 2004 system based on 2 4-way arrays to handle 125,000 users (over 40,000 concurrent users) so I’m not a complete idiot when it comes to ISA.”, that to me looks like a pure Large-Enterprise play, and if you built the solution in house you probably paid @ $12K for the entire solution or somewhere in that ball park; please help me with the math:
Windows Sever: $800×2
Dual Socket Enterprise: 2 x $3000
Hardware: $2,200×2
Two boxes will cost @ US$12,000
Now, if you had gone to Checkpoint’s (which as of yesterday owns all of Nokia’ business, or soon to be) or Juniper, or any of the other Tier-1 vendor you referenced above you would have paid 2 to 4+ times more monies. Tom is right…. you save BiG. Plus, Tom addresses the benefits of building your own high performance platforms with tons of muscles.
Now if an enterprise buys a fully integrated server-appliance solution from us, or any of over other competitors namely Celestix or Secureguard and such.. we try to get you “an out of the box experience” which is close to what Tier-1 will offer in terms of software updates, patches, support, professional services and such. we charge you a tiny premium but the overall saving is still BiG. I think you should challenge Tom to do a head to head comparison to support your argument and let’s see how the numbers compare for your 125,000 user deployment. Tom will be happy when he sees the savings.
You second half of argument deals with functionality comparison, I am not going to address that as Tom can do much better job. As per my experience there are many parts of the world where the enterprises are now more comfortable buying Microsoft security products; the complaint is that Juniper does not have local support, and they had given up on Checkpoint and Nokia as they kept on pointing fingers at each other when it came to resolving some critical issues. This could be a separate thread of its own, and may be Tom can share with you that some of the largest enterprises of the world do run ISA; we integrate Microsoft Security products so we can provide “out of the box experience”, similar to what Tier-1 vendors will provide
- SME’s now have access to Enterprise grade products; similar to what you have without having to spend 2 to 5+ times more.
- Business and Enterprises of any size have an option to call one vendor for appliance, support and services.
I don’t wish to further ignite the discussion and hope that I have provided reasonable input as how I see that customers like yourself are saving by not having to buy custom security appliances from Tier-1 vendors.