In organization's perimeter defense is the oldest and, some would say, the most cluttered security layer. Firewalls have kept watch for two decades at the frontier where corporate networks reach the Internet. A firewall blocks questionable network packets from reaching internal networks, denying passage based on the IP address of the packet's source or the destination service such as File Transfer Protocol the packet is attempting to reach. Intrusion detection systems followed firewalls into the fray, detecting malicious software such as worms and other attacks that would get past a firewall. Intrusion prevention systems both detect and block attacks. Also on the network border: secure messaging gateways designed to stem spam and e-mail-borne viruses.

One reaction to those mounting lines of perimeter defense: consolidation. Kansas City Life Insurance, for one, replaced traditional, single-purpose devices with a hardware-software combination called a unified threat management (UTM) appliance. The device combines the firewall typical of perimeter defenses with intrusion prevention systems, anti-spam and antivirus software, and Web filtering.

Pricing for entry-level appliances designed for small offices starts at less than $1,000, while UTM products for large enterprises cost upward of $10,000. Vendors include Astaro, Cyberoam, Crossbeam, Fortinet and Secure Computing.

In opting for Astaro's unified threat management offering, Kansas City Life was able to unplug several pieces of gear, including its Cisco Systems PIX firewalls and an Internet Security Systems intrusion detection system, says Keith Beatty, network engineer at Kansas City Life.

The Astaro product's anti-spam and Web filtering capabilities sold as optional features, according to the vendor let Kansas City Life jettison three additional security elements: GFI Software's MailEssentials anti-spam filter and MailSecurity e-mail firewall, and SurfControl's Web filtering application.

The simplification has lowered Kansas City Life's security costs by a few thousand dollars a year in reduced software licensing and support expenditures.

Kansas City Life has also scaled back its reliance on contractors. With one vendor's technology to support, the company can use in-house experts to do the job.

Still, organizations seeking the benefits of integrated perimeter security face implementation challenges with unified threat management. "One of the main issues you're going to have with UTM is the fact that you are doing so much in one box that you have to be careful about scalability," Beatty warns. "And that is where we stumbled a couple of times."

He says the appliance, although a "pretty powerful device" in his estimation, would take a performance hit during busy times of day. The product's Web filtering function, in particular, is extremely CPU-intensive, he says. The product scans for viruses on each user's Internet connection, so CPU demand mounts as the number of concurrent Web surfers rises. Kansas City Life maintains a home office staff of more than 500 and supports 1,400 agents in the field.

To balance the load, Kansas City Life shifted another CPU-intensive task spam filtering to a second appliance. That appliance is actually Astaro's software loaded onto the company's own hardware. Beatty says that smaller organizations can probably get by with one appliance. But as a best practice, midsize and larger organizations should "split the load between two boxes," he adds.

According to an Astaro spokesman, "Most of Astaro's customers run all their features on one unit that is sized correctly for their environment. In some situations, we have customers that like to run certain subscriptions on separate units." The spokesman adds that customers may use two appliances to prevent one appliance from becoming a single point of failure.

Beatty calls Web and spam filtering the two greatest consumers of CPU and memory resources: "They will definitely impact the hardware more than anything else."

Next page: Layer 2: Host Security