Service providers offer various hardware options depending on the nature of the security service for which users sign up. Some services will require the installation of dedicated hardware at the customer's site or, if the service provider will be providing hosting services, in their cage. Some service providers host their own hardware in their own network operations center. Some provide the security service through hardware that is shared with many other customers.
Which option is better for your business depends on many factors, including your security policies, budget, trust in the service provider and the actual products used. In many cases, dedicated hardware may be more expensive than shared hardware.
Dedicated hardware may be a better option if you are a large financial or health care organization that does not want to sacrifice security for a cheaper application. Using dedicated hardware ensures that your infrastructure won't be compromised because of misconfigurations or software bugs. For example, misconfigured firewall settings or defects in the firewall software could cause your traffic to be routed to the wrong interface, in which case the content of your applications will be exposed. These are not common problems, but they are considerations to keep in mind, especially if you have to comply with regulations such as the Sarbanes-Oxley Act of 2002 or the Health Insurance Portability and Accountability Act, where data protection is the most important requirement.
Dedicated hardware considerations
Dedicated hardware applications may come in the form of appliances that the product vendor sells, or dedicated hardware that the service provider has installed the security software. Either way, it's a piece of hardware you are not sharing with any other SLA customers.
Many providers offer different hardware set-ups depending on your performance requirements. The hardware at each level differs in terms of CPU, RAM, disk space and so on. Service providers will usually help you identify the hardware that best fits your environment, based on, for example, traffic volume on the network, or number of connections or users required.
Service providers don't always provide details about their hardware configurations in their SLA. This is because of the rate in which hardware installations can change. Not committing to specifics allows service providers to switch to other hardware when certain units are no longer available or when there are cheaper alternatives, or to upgrade hardware as replacement parts for older units become expensive or obsolete.
However, you should find out which hardware the service provider is installing. This will allow you to ensure that when hardware is changed, you are still getting equivalent or higher performance from the new hardware. It will also give you a better gauge as to whether the hardware will meet your performance requirement and plan for the future. It's also a good idea to negotiate a clause in the contract or SLA to ensure new hardware will have equivalent or higher performance.
Performance considerations
Almost all managed security services require the hardware to support high-performance networks, e.g., fast Ethernet or Gigabit Ethernet. Many service providers state in the SLA the aggregated throughput of hardware provided. Look for terms such as "up to 1Gbit/sec. of aggregated throughput" or "between 500Mbit/sec. and 1Gbit/sec. of throughput."
High-end hardware should support aggregate throughput of over 1Gbit/sec. Average hardware should support from 500Mbit/sec. to 1Gbit/sec. Low-end hardware should support anywhere from 100Mbit/sec. to 500Mbit/sec.
It's important to specify the number of network ports to be allotted for your needs, as that will dictate the number of network segments you can set up and, thus, your potential throughput. Most security experts design network infrastructures with multiple segments, such as one for an application DMZ and one for a database DMZ. Depending on your configuration, you might want to have three or four segments. If you have a piece of stand-alone hardware with only two available ports, you'll have to design around that limitation. You should also stipulate that the port speed must support the highest-performance switch on your network. This ensures that your network is not slowed down by the firewall and your IDS can adequately monitor your network.
Many hardware-based security applications store the actual software image on flash cards. This allows vendors to upgrade the software by simply writing over the flash memory. But as features increase, so do memory requirements. You'll need to make sure that the flash cards installed in your appliance can accommodate upgrades. Flash cards are cheap, so look for cards that have at least 50% more space than initially required for the software itself.
Physical considerations
If your provider installs a security appliance at your facility, you need to be aware of that unit's space requirements: A 3U security appliance takes up three times the room of a 1U appliance, and the more space your security appliance requires, the less room you have for your other servers. If rack space is at a premium in your data center, make sure your provider states the rack requirements of your appliance, since when it comes time to replace your hardware, your provider may want to install a larger appliance. If you've filled up your rack already, you'll find it tricky to find more space for the new hardware.
Some of you may be using rented space in a hosted data center. This means you are paying for every unit on that rack. The less you use for the security hardware, the better off you are.
Some service providers keep the hardware at their own facilities. Others require you to make room for it at your site, to which you then must allow your provider access. Find out what your options are, as there are several advantages to having the service provider host the hardware in their space:
-- The less space used up on your racks the better, since as mentioned the required space will subtract from that available for other hardware needs.
-- The fewer people that have access to your server room or hosting cage, the better. If the service provider hosts the hardware in its space, you can reduce the number of people accessing your cage when there's an issue.
Hardware failure considerations
Your service provider should not need to access your facility unless there's a hardware failure. To save time and money, service providers will normally fix the hardware using out-of-band connections such as modems, or will ask to walk you through the steps of fixing the hardware, before they send engineers to your site to fix or swap the hardware.
When the hardware is installed on your site, it's critical that the service provider has some type of out-of-band management to the hardware, e.g., a modem connection to the console port. Without that, it's likely that you will need staff on hand at all times to help support the service provider.
In most cases, when the hardware is installed on the customer's premises, service providers cannot provide spare parts to that site. When the hardware fails, the service provider needs to ship the replacement and install it when it gets there. Ensure that the SLA clearly states the amount of time it takes to ship and install the hardware. Do not accept anything slower than next-day shipping; anything longer will leave your network at risk.
If uptime is critical (and who can afford downtime?) for the location, take the high-availability options for the hardware or look for a service provider that can offer on-site visits in two to four hours. However, keep in mind that these services will usually have a fairly high premium.
Given uptime or service availability is the most critical factor for service measurement, most service providers offer high-availability (HA) options for your service. Most often you will see active-standby configurations. Some service providers offer clustered offerings in active-active configuration. The clustered application is usually more expensive, and overall HA offerings should be less expensive than contracting for two hardware installations together. For services that include hardware installed on the customer's site, HA configuration is highly recommended, as you don't want your network to be without protection when the hardware fails.
Shared hardware considerations
A shared or virtual hardware configuration means that multiple customers share the same physical hardware. Some service providers offer the shared configuration option as a lower-cost alternative to dedicated hardware products. The first questions that arise when contemplating shared hardware are probably related to performance and security.
Service providers may institute a couple of parameters to guarantee your performance. First, they may limit the number of customers that will be sharing the same hardware. The number of customers sharing the hardware depends on the hardware used. There's probably not much negotiation you can do here, but if you know that number as well as the hardware specification, you can perform your own research to find out whether you are comfortable with the vendor's contractual claims.
Second, some service providers will guarantee your throughput while using the shared hardware. Since shared hardware means that many customers share a single uplink, you need to know the uplink's throughput guarantee to see if this application is acceptable for you. The service provider must be able to state the throughput in the same terms as the dedicated hardware, and the numbers are the same as those given in the above section on aggregate throughput. High-end service should support aggregate throughput of over 1Gbit/sec., average service should support from 500Mbit/sec. to 1Gbit/sec. and low-end service should support anywhere from 100Mbit/sec. to 500Mbit/sec.
It's possible that some service providers will stipulate lower performance for shared hardware. That's OK as long as the performance meets your needs. The point here is to ensure the service provider clearly states the performance of the service.
Given that uptime or service availability is the most critical factor for service measurement, most service providers configure shared hardware in a high-availability configuration; in most cases the setup is an active-standby configuration. This should be your service provider's standard. If the shared-hardware application is not in HA configuration, it may be too risky for your environment.
In addition to all the hardware considerations, there are factors that you must consider when choosing security software to protect your network. In the next column, I will go over the software considerations to ensure your IT infrastructure is well protected.
Jian Zhen, CISM, CISSP, is the director of product marketing at LogLogic, a log management and intelligence firm in Sunnyvale, Calif. He has been in the information security industry for 10 years. He can be reached at zhenjl@gmail.com or his blog at Operational Intelligence.