Arthur Cole spoke with Sandra Vaughan, senior vice president of product and marketing for Proofpoint.

Cole: With the goal of virtualization and multicore technology being to reduce the amount of hardware in the enterprise, is there a future for physical appliances anymore? Or does it belong to virtual devices?
Vaughan: Obviously, physical appliances offer many terrific benefits, which has led to their popularity. Appliances are pre-configured, easy to deploy, simple to manage and usually offer a compact form factor. But the popularity of hardware appliances has led to a new problem, sometimes called "appliance overload" or "appliance bloat" — racks and racks of multicolored boxes, each performing a specialized function. As enterprises have deployed more and more appliances, the ease-of-use and management benefits that make appliances popular are at risk of being overwhelmed by the complexity and cost involved with managing a large number of point solutions. Virtual appliances are one potential solution to this problem. With virtual appliances, you can install hardware-free appliances on existing virtualized server infrastructure. The benefits are the same as those realized by traditional server virtualization — server and storage capacity can be increased without investing in additional hardware — but virtual appliances can also take advantage of the data center's virtualized failover, backup, change management and disaster recovery features, generating further efficiencies. In addition, new virtual servers can be deployed for scalability or redundancy purposes on an as-needed basis at zero incremental cost. While hardware appliances will remain the most popular deployment method for many applications in the near term, it's not a stretch to say that virtual appliances, coupled with commodity hardware, will eventually overtake today's customized appliances. This will happen especially rapidly at enterprises with aggressive virtualization strategies — where the significant cost savings, coupled with benefits of using superior best-of-breed technology, will far outweigh any perceived performance advantages of appliances, even those built on custom hardware.

Cole: At the moment, the trend nowadays is toward multifunction appliances. Doesn't that add levels of complexity that diminish the advantages of appliances in the first place?
Vaughan: It really depends upon the type of multifunction device you're considering. In many cases, multifunction appliances make a lot of sense but, as you imply, it can be a slippery slope. In the case of messaging security (where my company specializes), it makes sense to have a single appliance with a unified management interface for anti-spam, anti-virus, acceptable use policy enforcement (both inbound and outbound), data loss prevention policies, policy-based encryption, etc. Multifunction appliances (whether hardware or virtual) make sense when you can leverage policy-setting or administrative efficiencies. For example, if you manage your company's messaging system, it's safe to say that you're interested in what's coming in, and what's going out. So it makes sense to have a management interface that gives you insight into both inbound and outbound system status and policy enforcement. Similarly, it's attractive to set policies for one channel (e.g., e-mail) and enforce those same (or similar) policies on other channels (e.g., HTTP, FTP) and manage those in one convenient location.

Cole: But this approach might not be appropriate for other applications?
Vaughan: In some cases, it is best to have separate appliances. For example, Proofpoint recently introduced a new product that consolidates all your messaging system logs and makes it easy to do message tracing and message forensics across your entire infrastructure. We offer this on a separate appliance because it's a very CPU-intensive sort of operation and because it addresses the needs of a different set of users than our gateway messaging security product. For example, both e-mail admins and IT help desk staff might use our Smart Search product to answer common message tracing issues. But you probably don't want to give your IT help desk staff a login to the administrative console on your e-mail gateway. So really, it's a question of design appropriateness.

Cole: Does a virtual appliance, such as your VMware-compatible messaging gateway, provide the same features and flexibility as the physical version?
Vaughan: Proofpoint's virtual appliance, the Proofpoint Messaging Security Gateway — Virtual Edition offers exactly the same features and functionality as its hardware counterpart. In fact, you can even deploy both hardware and virtual appliances in the same Proofpoint infrastructure. We are starting to see many customers do these "hybrid" deployments where there may be several hardware appliances that are supplemented by the virtual appliance as a way to easily scale on demand. From our architecture's point of view — and for the administrator — adding a new virtual appliance and adding a new hardware appliance is exactly the same procedure. But there's no heavy lifting involved in the virtual appliance case. One great advantage of virtual appliances is that they are ideal for product evaluations. It's so much easier to download a demo version, open it in VMware and be on your way, rather than ordering an eval appliance, waiting for it to be delivered, etc. We make our virtual appliance available in a trial version that gives you 45 days to test it out in a lab or production environment.