Getting out of the Hardware Appliance Racket
I’ve always considered the “hardware appliance” business as some kind of racket akin to the old Military Industrial complex post World War II. They had fear and superstition in common, and most importantly, the racketeers were able to cash in big on the ignorance and superstitions of their customers.
You can see this in the “hardware appliance” market today with vendors like Cisco and Blue Coat, who charge unseemly premiums for low to moderate grade hardware and software bundles. They get away with this by sprinkling a generous portion of fairy dust over their products, which magically makes their hapless customers believe that their offerings are more secure, higher performance and more reliable than a Windows based solution.
It’s an amazing disconnect for us who have been using Windows based Firewalls, email systems, databases and other applications for years without any significant security, performance or reliability issues, or at least fewer than those documented by the “hardware appliance” vendors (this is in regards to security, where Windows based Firewalls have a better track record, security-wise, than most “hardware” implementations).
But I think there’s light at the end of tunnel. Today’s network admins are smarter than those who “grandfathered” in from the 1990s. Those old timers think in terms of “port opening and closing” and “Windows 95 isn’t secure”. Modern network admins realize that Windows is as secure as you make it and Windows based Firewalls, such as the ISA Firewall, can be as secure, and in most cases, more secure than so-called “hardware” firewalls.
Even more important, the “hardware firewall” hucksters are going to have to deal with changes in the market. One of the Old Chestnuts guys like Blue Coat like to throw at you is that “we have higher performance because we’re purpose built”. My ass. If I create a white box solution with a dual die, 4-way per die, making for an 8 way box, I’ll wipe out any fantasized performance advantages that the Blue Coat box might have, and I’ll be able to do it at about half the price and not pay PHAT margins to the sales guys who supply me with a load of bull about their relative performance, reliability and security when compared to Windows.
For another excellent perspective on the “hardware appliance” smoke and mirror show, check out Why appliances are dinosaurs at http://www.theconvergingnetwork.com/2006/11/why_ap...s.html
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Ray Says:
December 9th, 2006 at 8:12 pm
The thing that constantly amazes me is how supposedly competent people equate “hardware appliance” with “no maintenance required” or “I’m not responsible for it”.
To all of you: Unless the appliance is running on mechanical relays and vacuum tubes, software is somehow involved. Software with flaws written by people just like those who write software for “non-appliance” firewalls.
And you are still responsible for keeping its software (a.k.a. “firmware”) updated and administered properly. You will lose your job for having a “hardware appliance” getting compromised just as fast as for a non-appliance firewall. And maybe faster if you neglect your responsibilities.
Ray
Jeff Wiltshire Says:
December 12th, 2006 at 4:13 am
I occasionaly watch from afar and smile at Tom’s “one man crusade” regarding ISA and other firewall vendors and then move on without comment…..
However this time your arguement is so flawed that it begs to be commented on. Your choice of Hardware Appliance vendors are hardly representiative, Bluecoat don’t produce hardware firewalls (they are a proxy/AV appliance company) and Cisco are hardly on the leading edge of appliance technology. There are a large number of hardware firewall vendors making very good products which completely eclipse the capabilities of ISA 2006, I suggest you look long and hard and vendors like SonicWALL, NetASQ, Juniper, Fortienet, Nokia (with Checkpoint) etc etc. SonicWALL have Intrusion Prevention, Deep Packet Inspection, Gateway Anti-virus, Anti-Spyware built in to a sub $1000 box.
Just in case you get the wrong idea I have built a ISA 2004 system based on 2 4-way arrays to handle 125,000 users (over 40,000 concurrent users) so I’m not a complete idiot when it comes to ISA.
Thomas Shinder Says:
December 12th, 2006 at 5:24 am
So let me get this right — you can provision a sonicwall or Check Point Server for 125,000 users for under a $1000? AND include IPS, DPI (marketoid speak!), AV and AS?
I’d like to see that!
BTW — there are no flaws in the argument. Read the discussion again and you’ll find all assertions irrefutable. I’ve proven that already because you weren’t able to refute any of the assertions you called “flawed”.
HTH,
Tom
Jeff Wiltshire Says:
December 12th, 2006 at 6:54 am
I never said that you could provide a solution for 125,000 users for under $1000….re-read what I wrote.
Your arguement is flawed as the examples you use are not what you claim them to be and yet again you are being deliberatly disingenuous with your response. Regardless of how you would like it to be different ISA is not the greatest firewall on the planet.
Thomas Shinder Says:
December 12th, 2006 at 7:07 am
The discussion isn’t about the best firewall in the world, it’s about how customers get duped and taken advantage of because of the “hardware appliance” racket. Customer waste thousands of dollars on the “appliance” Ponzi scheme every year.
Jeff Wiltshire Says:
December 12th, 2006 at 7:26 am
I have no idea what a Ponzi scheme is….must be a US term.
Hardware firewalls can be purchased that will outperform ISA 2006 for less than the cost of the license fee for standard edition plus Windows 2003 license + server hardware. There is no racket as you would like to believe…..