'Best of suite' not 'best of breed'
The biggest danger, however, is buying products with all of these security features from one vendor, Blum said. "It's a violation of the principals of layered defense."
A company can get more for its security money by purchasing from fewer vendors, but a "best of suite" strategy is preferable to a "best of breed" one, he said. For example, an IT executive may want to buy a device from Cisco or Checkpoint Systems Inc. for the perimeter, but they may choose another vendor for intrusion detection. "If you buy that from the same vendor as is providing your perimeter products, maybe both products will make the same mistakes," Blum said.
Some customers in IT agree that while it may be appealing to have a single appliance to manage and maintain, there is the concern that that device may also be a single point of failure. Security is about limiting your exposure. If you go to one source, and someone attacks that source, you're out of luck, said Bill Randall, director of MIS infrastructure at Red Robin Gourmet Burgers Inc., in Greenwood Village, Colo. "You still need to have redundant systems," he said.
Different pieces for different needs
Randall said his company uses individual appliances for some tasks. For example, it uses an intrusion prevention system from 3Com Corp.'s TippingPoint Technologies Inc. division, but he believes there are many more vulnerabilities than just the network edge. "For antivirus and spyware, it's easy to integrate whatever solution you're using for your end users [at the desktop] and just extend it out," he said.
Other users agree that it's not always possible to control all security from the network perimeter. One reason is because that in some environments, such as a university setting, it's hard to make a universal policy about what is and is not allowed to come into the network.
The IT staff at a college has no clear knowledge of what is being used by everyone on campus and is therefore reluctant to take any action that will break something for someone, said Joe Strecker, an IT manager of the computer resources group at J.L. Voss Veterinary Teaching Hospital at Colorado State University, in Fort Collins, Colo.
Strecker prefers to zero in on an individual machine. "Even if the border is well sealed, there are still people bringing in laptops from home, so individual machines must be hardened," he said.
Step one: Do a self-evaluation
Burton Group's Blum suggests that in developing a security strategy, IT managers should start with a risk management assessment of their company that looks at people, processes and technology. In terms of technology, he recommended developing a security architecture in which the target starting period is a few years away.
Blum warned that there may be political reasons within a company that dictate the selection of certain vendors. And in some cases, it may be mandated that a product has to interoperate with specific platforms, such as SAP, Linux or Windows, he said.
Regardless of individual cases, though, securing the perimeter of a network goes far beyond "set and forget."