Mike's random thoughts and ramblings

Appliances are the New Agents

The current debate in the security blogosphere centers around the evil that are host-based agents - Matasano started it off by suggesting that agents are evil, with follow-up commentaries from Ryan Russell, Amrit and Rich Bejitch. And, while I'm no big fan of agents, splitting time on the vendor and customer side of the world has given me a bit of a different perspective.

The bigger problem is the proliferation of "security appliances" that can be found in a datacenter these days. Almost every vendor today is selling an "appliance" - these can be anything from an ASIC-based piece of hardware to a Windows box without a video card in it.

I was at nCircle when we first designed our appliance strategy, and it was a novel approach back then. Very few companies were releasing plug-in boxes that could be dropped on a network, and it was received incredibly well. The promise that the use of appliances reduced TCO was very true - there was less infrastructure to manage because of it. But now, there are appliances for almost everything. There's a log-management appliance, a vulnerability management appliance, a patch management appliance, a network-arp-black-holeing appliance, and the list goes on and on.

And, unfortunately, these appliances are actually beginning to do the opposite of their original promise - as enterprises organize their security infrastructure to automate patching and ensure availability, the proliferation of different appliances actually adds to TCO - we're spending more time managing our appliances than our actual infrastructure.

This will become increasingly true as the IT world goes more and more virtual - appliances aren't flexible enough to live as the primary unit for delivery of computing services in a virtualized world.

Share this post

About the author

Michael Murray

Michael Murray