Juniper Networks' ISG-1000 and Cisco's ASA5540 with its add-on SSM-20 IPS module offer no-compromise IPS products that will make the security purist happy with their configurability and control features.

We rank the ASA5540 slightly behind the ISG-1000, because of Cisco's fairly loose link between firewall policy and IPS policy. Although Cisco has made enormous strides in its management with the release of Cisco Security Manager, the firewall and IPS are not as integrated as they should be. For example, you can't apply different policies to different streams of traffic (such as internal-to-external and internal-to-internal). Only a single policy applies to the IPS. With a new feature called "virtual sensor," you can create multiple policies, but these are applied to virtual LANs or interfaces and still don't match up to the firewall policy.

One of the most interesting IPS implementations tested was IBM Internet Security Systems' Proventia MX5010, because it came to the UTM space as an IPS first, a firewall second. While the Proventia has every bit of IPS configurability stripped out of it -- you essentially get two check-boxes in the GUI to turn IPS on or off for all interfaces, all traffic, all the time -- our test results show that this black-box IPS blocks more bad traffic than any other tested.

With the optional SiteProtector management appliance, you do get all of the powerful IBM/ISS IPS and IDS forensics and reporting tools. This creates a strange dichotomy: an almost unmanageable IPS that does a great job. Our fear, though, is that enterprise network managers won't be happy with this level of configuration, because as soon as a false positive shows up, the IT reaction to the Proventia MX5010 configuration goes from "wow" to "you've got to be kidding." IBM/ISS has taken a branch-office UTM and scaled the performance up to astonishing highs, but hasn't scaled the management and control up to enterprise standards.

Applying rules to traffic flows

In a UTM firewall that mediates internal and external communications, or even just protects user networks and a demilitarized zone or service network, having different policies for Web clients and Web servers seems an obvious requirement. While some of the IPS implementations let you define specific addresses to be protected by each signature, the burden of doing that for hundreds or even thousands of signatures is obscenely high and we didn't consider that a realistic alternative to having multiple policies.

Juniper's ISG-1000 and SSG-520M have a tight linkage between firewall policy and different IPS policies, as does the WatchGuard Firebox. For example, when each firewall policy rule in the Juniper ISG-1000 is created, the rule can specify whether this traffic also is sent to the IPS. Then, at the IPS each traffic flow can select a different set of IPS signatures to apply. The other firewalls we looked at don't offer that flexibility about linking rules to traffic flows.

Secure Computing's Sidewinder does support different IPS policies in different zones. The Sidewinder got its IPS capabilities only in the latest version of its software -- so recent that for our initial tests, Secure Computing had to fix bugs in the firewall to get the IPS to detect and block attacks. The GUI used in this version to manage the IPS is extremely weak. To see any information about a signature, you have to log on using the command-line interface (CLI), navigate to a directory on the firewall and look at a file where the signatures are stored.