Juniper Networks' ISG-1000 and Cisco's ASA5540 with its add-on SSM-20 IPS module offer no-compromise IPS products that will make the security purist happy with their configurability and control features.

We rank the ASA5540 slightly behind the ISG-1000, because of Cisco's fairly loose link between firewall policy and IPS policy. Although Cisco has made enormous strides in its management with the release of Cisco Security Manager, the firewall and IPS are not as integrated as they should be. For example, you can't apply different policies to different streams of traffic (such as internal-to-external and internal-to-internal). Only a single policy applies to the IPS. With a new feature called "virtual sensor," you can create multiple policies, but these are applied to virtual LANs or interfaces and still don't match up to the firewall policy.

One of the most interesting IPS implementations tested was IBM Internet Security Systems' Proventia MX5010, because it came to the UTM space as an IPS first, a firewall second. While the Proventia has every bit of IPS configurability stripped out of it -- you essentially get two check-boxes in the GUI to turn IPS on or off for all interfaces, all traffic, all the time -- our test results show that this black-box IPS blocks more bad traffic than any other tested.

Click here to view chart:  Tracking IPS catch rates

With the optional SiteProtector management appliance, you do get all of the powerful IBM/ISS IPS and IDS forensics and reporting tools. This creates a strange dichotomy: an almost unmanageable IPS that does a great job. Our fear, though, is that enterprise network managers won't be happy with this level of configuration, because as soon as a false positive shows up, the IT reaction to the Proventia MX5010 configuration goes from "wow" to "you've got to be kidding." IBM/ISS has taken a branch-office UTM and scaled the performance up to astonishing highs, but hasn't scaled the management and control up to enterprise standards.