Intrusion prevention wasn't a focus for this level of firewall, Russell says. An integrated IPS-firewall works best at speeds no higher than 1Gbps, he contends, noting that enterprises needing better performance tend to use separate firewalls and IPSs.
Jon Yun, a Juniper product marketing manager, agrees. "In the server-server scenario, depending on the performance, the integrated IPS products would be ideal. But if there's a huge data center or service-provider type of network, then a dedicated box may be better suited," he says. "Right now, we're at 30Gbps throughput [with the NetScreen-5400]. And if you deploy a firewall like that and then you virtualize it so that it supports 10 different servers on the back end, it still gives you quite a bit of capacity and throughput."
Check Point is working to make sure its software can make the best use of Intel's multicore chip technology. The goal is to keep performance high while adding such features as IPS. "We're looking to speed up this whole idea of application awareness and intelligence," says Bill Jensen, product marketing manager for Check Point's VPN-1 line. "If you buy a US$5,000 server from IBM or Dell that has a couple of the Intel multicore chips on it, and you turn on 70 per cent of the application inspection in our firewall software, you're still going to run around 2Gbps, which is very high."
Server-to-server firewalls, on the other hand, don't require as much IPS horsepower, Jensen says, because they can be tuned specifically to individual server traffic (vs. perimeter firewalls that need to check everything coming into the enterprise). "Once you get into individual racks in the data center and you can have a lower level of inspection turned on, the performance shoots up even higher," he says.
Beyond performance hits, budgets can get in the way, users say. Baptist Healthcare System in the US, uses Cisco PIX firewalls at its perimeter and is rolling out stand-alone IBM-ISS IPS boxes at the edge of its data center. While per-server, NAC-like protection is the ideal, "we have to do more edge-based protection, where there's more bang for our buck," says Tom Taylor, Baptist Healthcare's corporate manager for client/server infrastructure.
Jim Laval, network manager at the organization, agrees. "It took us two years of budget process just to get the first phase of the IPS project approved, and that was about US$110,000. I don't see us going to the server level anytime soon."
Cummings is a freelance writer in the US. She can be reached at firstname.lastname@example.org.