The server versus the appliance - an old argument rears its head again

When you are buying a product for your network, be it for security or basic infrastructure, do you prefer an appliance or software that you can install on a server?  I realize this may be somewhat of an "old" question since it has been discussed ad nauseam over the last couple of years, but I am noticing this rearing its head again for services that are more core to the network.

The prime example of this is the firewall.  Most firewall vendors offer their own firewall solutions today, though some insist on only selling software and making you install it on a server or some other appliance.  And the more modern UTM appliances are the same.  Most people do not even consider a software solution for their firewall / UTM solution.

Another example is IPS.  Though IPS is somewhat going over to the UTM, there are still many uses for stand-alone IPS.  So when you start looking for an IPS to buy, you have to consider the platform.  Most (if not all) IPS vendors have their own box.  But consider the fact that many, if not most, of those boxes are actually hardened servers, not true network devices (true network devices meaning purpose built box with proprietary OS, etc.).

As I said in the first paragraph, I realize this may be considered an old subject, and I think most people have fallen into the appliance bucket (at least the market seems to think so), but there are still those out there who prefer the server route.  But more than that, some of the essential services in the network are starting to migrate to appliances as well. 

Take DHCP and DNS.  These are core services without which your network cannot function (unless you hard code all your IPS and use host files for everything - eeewww...).  Traditionally, these services are provided by applications / services / daemons provided by the server OS that you run for your other infrastructure needs.  The same is true often times for RADIUS and LDAP.  If you run Linux for your file servers, user database, etc., you probably also run DNS and DHCP on those servers.  The same is true for Microsoft shops.  The functions are there.  They integrate.  Why not? 

Maybe because that server is running software that is proven to be insecure if not locked down properly (and even then it is not as secure as we would like).  Maybe because Microsoft and Linux are designed to offer a bunch of services, so focus on management of every service is not necessarily as strong as you would like.  Maybe purpose-built hardware and software can provide that level of management and you like the security proposition of the proprietary appliance OS.  Maybe just because it is a good idea not to have all your eggs in one basket.

Either way, I am seeing this pop up again for other services than just the traditional firewalls, IPS's, etc.  Even core services can be broken apart into separate devices.  Yes, this can lead to the management nightmare that we have seen before, but often this can be mitigated by other means.  It is a strategy worth looking at.