WatchGuard's new Global Security Manager software, announced this week along with Firebox II, lets ISPs remotely manage firewall appliances placed on the premises of customers that want to outsource their network security.
WatchGuard already claims some success--PSINet this week signed a major but still unannounced deal for Firebox II appliances to boost its outsourcing business, sources at both companies confirmed.
"This kind of device can offer security for the masses," said PSINet's Mark Fedor, vice president of engineering. "Security should be added onto other services [offered by ISPs]."
Gartner Group gave firewall appliances a boost last summer when analyst Michael Zboray advised smaller companies they would be more secure and spend less using firewall appliances than general-purpose firewall software.
Gartner predicted that by 2002 at least 40 percent of firewalls shipped would be firewall appliances.
"Firewalls require a lot of attention," said Larry Hughes, security engineering manager at ISP Verio Northeast. "We need appliances with only the required hardware and software."
Firebox II--like other firewall appliances from vendors including Technologic and TimeStep--includes firewall software and a secure operating system on a dedicated piece of hardware. The operating system is typically stripped down to include only what's required to run the firewall software, thus eliminating security weaknesses endemic to full-scale operating systems like Unix or Windows NT.
Cisco Systems and Data General also ship appliances that bundle firewall software on a single-purpose hardware device, but WatchGuard is one of the few vendors targeting ISPs as a channel to sell its firewall appliances.
Firewalls are notoriously difficult to set up, and incorrectly configuring them can open security holes that let hackers onto a network despite the firewall. By outsourcing their network security to ISPs, companies can let experts handle the headaches. That's particularly important today because of the scarcity of skilled security specialists.
"The majority of companies conducting business on the Internet do not have in-house security expertise or personnel to manage the security function," WatchGuard CEO Christopher Slatt said in a statement.
WatchGuard is positioning Firebox II as a "hands-free managed security solution" that ISPs can remotely install, manage, and update from a central location using a built-in PCMCIA card in Firebox II.
Still, Stephen Kent, of ISP GTE Internetworking, cautioned that firewall appliances are no panacea for outsourcing security, stressing the need to support Internet standards and to independently test the devices to be sure they work.
"We need to manage a collection of devices from a number of vendors," Kent said, noting that customers that want to outsource security management to ISPs may already have firewalls in place from different vendors. He noted that the IPSec standard is bringing interoperability to virtual private networks. The International Computer Security Association is now evaluating and certifying firewalls.
A limited number of ISPs will begin deploying Firebox II and the management software next month, with the firewall appliance due to ship in July or later. Firebox II is listed at $4,995, including firewall, authentication, virtual private network, and management software.