A Separate AV/Malware Box?

For those admins who are looking to refresh their proxy architecture, and looking at the various vendors out there for Secure Web Gateways, you may be wondering whether there's a benefit to having the AV (anti-virus) and malware scanning on a separate box. The 600 lb gorilla in the marketplace for web gateway appliances, Blue Coat Systems uses a two box architecture, while most of the competitors, use a single box design running the AV and malware scanning on the same box as the gateway.

What's the advantage to the second box? In reality the big gain is scale and throughput. By offloading to a second box, you can handle much bigger throughput and you can handle many more connections. If neither of these is a concern for you, you should also consider when an AV or malware engine goes into a CPU usage storm, whether you want it to affect the other users using the web gateway. There are files designed to cause AV engines to go into infinite processing loops and if your AV or malware engine hasn't been tuned to detect these, an AV CPU spike will cause web downtime for your end-users if you aren't using a separate box for AV and malware scanning.

If web access isn't mission critical to your organization, and you aren't concerned with scale and throughput, a single box solution may be the answer. But before you go that route, make sure you price out the two box solution, and make the right decision based on all the factors and features available to you.