Should you integrate APs with security appliances?

Check Point Software's recent launch of a security appliance bundled with a wireless LAN access point brought to mind an old question: with product integration all the rage, which core competency do you focus on when purchasing a multifunction product?

The Check Point product is by no means unique, as Juniper recently added a similar box (reviewed here)to its Netscreen range. We have also reviewed SonicWall's wireless firewall.

I have raised this question of overlap before, when WLAN maker Aruba Wireless Networks made sweeping network security announcements that seemed to spill outside its primary area of expertise. At the time, Aruba feared that people would start thinking of it as a security company, rather than as the wireless-centric company that it is. But, in fact, all the WLAN vendors have had to focus so hard on solving security problems over the past few years that they've almost become default security experts out of necessity.

I don't, however, believe that the reverse is true - that it can be assumed that security companies can necessarily claim strong wireless expertise. Given that security and wireless both rank very high on enterprise strategic agendas, the question emerges: for small and midsize shops, do you purchase an integrated security appliance with wireless AP or do you go best of breed on each and purchase separate product lines, albeit at a higher total cost of ownership?

One size does not fit all
I don't think there's a one-size-fits-all answer. First, chat up the security appliance vendors and see if any seem to have the wireless expertise, architecture, features and vision that satisfy you. Are you buying the product first and foremost for a strong WLAN platform from a company steeped in RF expertise? Or are you primarily seeking a multilayered, centrally managed enterprise-wide network security platform, with wireless access as a "nice to have?"

If the wireless component is secondary and if the site you are trying to wirelessly enable isn't likely to grow beyond a few APs, consider the following hybrids:

  • Check Point's VPN-1 Edge W series of wireless appliances, announced last week, which combine 802.11b/g/SuperG (108 Mbit/s)-capable APs with firewall and VPN (IPSec encryption) capabilities, WAN links and hot failover between redundant boxes or between two ISP connections on one box.
  • Fortinet's FortiWiFi-60, which combines network-based anti-virus, firewall, content filtering, VPN, intrusion detection and prevention, traffic shaping and dual WAN links. The appliance conducts full content reassembly by first buffering fragments of sessions, in case a hacker attempts to send malicious signatures in segments, says Fortinet's director of product management Phil Kwan. It also checks HTTP port 80, FTP and e-mail protocols (POP3, SMTP, and IMAP) for IEEE behaviour compliance to make sure infections are not being tunneled through these ports, Kwan says.
  • SonicWall's TZ170 and SOHO TZ line of hybrid VPN encryptors, firewalls and 802.11b and 802.11b/g access points, which also support intrusion detection and prevention. The products also monitor for rogue access points, something the other two companies' products don't do, requiring you to purchase a separate sensor network for this function.

List prices start at about £500. All three vendors provide distributed enterprises with centralised management and reporting systems, allowing management to scale to thousands of devices across many distributed sites.