We often laud the innovation we see in quality-of-service appliances that enforce application-prioritization rules by inspecting packets through Layer 7. These appliances, from companies such as Allot and Packeteer, deliver some intrusion detection and denial-of-service protection side benefits, thanks to their ability to identify traffic and shape it according to policy.

Now enter iPolicy Networks, with WAN-edge gear that works in a conceptually similar manner but sets and enforces security policies, rather than QoS policies, as its primary function.  The company's IP Enforcer product line tackles the many facets of enterprise network security in a single, overlay architecture with a unified management system, which the company announced this week.

Given that enterprises are fretting over their network security infrastructures (see "User group defines security needs," http://www.nwfusion.com/news/2004/0426nac.html), the idea of a do-it-all network security overlay that leaves your routing/switching infrastructure intact sounds pretty appealing. What remains to be seen, of course, is how iPolicy gear fares amidst the old reliables in the network security space, such as CheckPoint, Cisco and NetScreen.

Among the security tasks that iPolicy's IP Enforcer equipment and Unified Security Manager software reportedly support:

* Firewall filtering (access control).
* Content (URL and spam) filtering.
* Intrusion detection and prevention (applied to traffic and protocol anomalies).
* VPN encryption.
* Anti-virus protection and automatic updating.
* Correlation of multiple risks in a single event.

IPolicy has created a new industry product category for its Layer 3 - 7 security devices: "intrusion prevention firewalls." Because all the security applications are integrated - a device can inspect a given packet just once against multiple rules - the company says it does not take the performance hit that some competing products do when running multiple security applications.

Those products combine multiple functions into a single device, but within the device, each function must inspect each packet separately, says Manish Gupta, director of marketing at iPolicy. Many also require separate management systems to set rules against each security function, he says.

These seem like valid issues you might wish to check out with potential vendors when evaluating products.

Next time: More on the architecture specifics, pricing, and other security issues and alternatives.

Steve Taylor is president of Distributed Networking Associates and publisher/editor-in-chief of Webtorials. Jim Metzler is vice president of Ashton, Metzler & Associates.