Thoughts on all-in-one
Recently a customer asked us what I thought about all-in-one options for filtering web and email. I did warn him it was dangerous asking the opinionated technical people question like this. However, I thought it might be of use to others seeing the recent focus on all-in-one, so here it is very slightly edited for typos (I hope). It’s a little focused on the mail & web question but the principles also apply more generally.
Executive Summary
I don’t generally like “all-in-one” solutions in the security space. Therefore I have preferred best of breed point solutions for firewalls, email relays, proxy servers and IPS. Specifically addressing firewalls I wrote this following relevant BLOG entry
This is not to say there is no circumstance where it can work, but after 12 years I believe the statistical chance of it working out for most as a great experience is low.
Technical Long Winded Answer
1. Mail and Web have almost nothing in common.
Therefore a combined management and reporting view offers me no meaningful correlation.
2. Integration by nature intensifies single point of failure.
Mail and Web often have differing business continuity impacts. Some can live without web for some time but cannot afford to have email go down - or visa versa. If all your eggs are in the one basket the proxy load can take down the email gateway.
3. Proxy servers by nature are less stable than email relays.
Email relays can be locked down for long term stability, but proxies are by nature tied to the Active Directory or other authentication realm. This means a much bigger OS footprint with many ‘essential services’ that reduce long term stability on that box. I have managed locked down email relays that have gone for over a year without reboot with consistently high loads.
4. Email has DNS based fail over built into the protocol but proxy fail over can’t be done easily.
It is comparatively cheap and easy to create email fail over. But a proxy based fail over is hard to implement without load balancing equipment to automate the fail over. Placing everything in one box ties the one to the other increasing costs. Why buy two proxies just to get SMTP redundancy?
5. Vendors are best at something.
Therefore all-in-one products invariably have at least one (sometimes two) very well executed part(s) and it’s down hill from there. Depending on your needs this may not be a show stopping issue, but should be carefully evaluated before the fact. If it doesn’t work out you’ve blown both budgets and changing one means changing two.
6. All-in-one does offer the potential of reduced OS licensing and reduced hardware cost.
But that’s not a technical argument so I have no opinion on that.
7. All-in-one solutions mean there is a single support responsibility.
But you’ll be talking to a general all-in-one level one support engineer for whom english is probably a second language so it’s a debate as to whether this is plus or a minus.
Comments
Post new comment