Companies looking to simplify their network security setups will soon have a handful of new products to choose from that act as firewalls but include other functions such as VPN and intrusion detection.

New gear from Nexsi Systems, iPolicy Networks and ServGate is roughly similar in that it is designed to protect high-bandwidth data centers and contain enough processing power to handle multiple security functions without creating a network bottleneck. But the companies are trying to differentiate themselves through the chips and applications they use in their products.

The companies are among a growing number of vendors, including Asita Technologies and Crossbeam Systems, that are building such devices, according to Jeff Phillips, an analyst with TeleChoice.

"To put in a single device rather than putting in separate pieces for VPN, firewall and intrusion detection is very attractive in a data center," he says.

These security devices also compete against fast firewall/VPN gear made by NetScreen, Cisco, RapidStream and others, Phillips says. He expects vendors of these dual-function devices to add more features over time.

New from Nexsi

Nexsi is introducing the Nexsi 8000, a modular chassis that sits within a service provider network and takes in aggregated traffic from customers.

The box imposes security policies on this traffic and passes it on to data-center servers located on individual virtual LANs (VLAN) to keep customer traffic separate. Nexsi calls these VLANs secure service domains, and each chassis supports 100 of them.

Nexsi is writing all its own security applications so that they function optimally with custom-built processors. The company claims this is an advantage over using general network processors and licensing software from other vendors.

The Nexsi 8000 chassis has a nonblocking backplane so it can simultaneously support an IP Security VPN and a firewall, each at 8G bit/sec.

The six-slot chassis supports 12 Gigabit Ethernet ports, eight for traffic and four for management or to connect with a redundant Nexsi 8000.

Nexsi 8000 will be available in the fourth quarter with VPN, firewall and bandwidth management applications. In the first quarter of next year, the company will add Web switching and Secure Sockets Layer acceleration functions.

IPolicy's IPEnforcer

IPolicy Networks is introducing iPEnforcer 5000, which combines the functions of a firewall and intrusion detection server. The company plans to add other security applications, such as VPN and URL filtering. IPEnforcer 5000 can perform these functions simultaneously at up to 2G bit/sec.

The box can keep separate sets of policies for up to 100 separate corporate accounts and 500,000 simultaneous sessions.

IPolicy says it will ship the iPEnforcer 5000 security appliance in October and that it will sport quality-of-service technology that protects the device from being swamped by denial-of-service attacks.

Customers will be able to configure the appliance to turn down bandwidth available to certain traffic or limit the number of TCP connections from a given source.

The company says the device's software architecture parses packets as they come into the box, and the data gathered about them is shared among all the security applications. This relieves processors from having to scan packets individually for each security application.

IPolicy partners with other companies, including Symantec for intrusion detection and Elron for firewall technology, for some of the security applications that run on the 5000.

Management software for iPEnforcer 5000 lets customers set up and enforce security profiles. The software also allows multiple views of and access to the network. So a security services wholesaler could have a view of all the iPEnforcers in the network, an ISP that is the customer of the wholesaler might have a view of just the iPEnforcers it uses, and the ISP's customers might get their own view of their policies. Each group could have rights to change profiles.

The box supports up to four applications at once, but an additional processor card will be available in the fourth quarter that will boost that to seven applications.

The iPEnforcer 5000 is a fixed-configuration box with four Gigabit Ethernet ports. The company plans a smaller device, iPEnforcer 3000, for enterprise data centers, and a larger chassis-based model called iPEnforcer 9000.

IPEnforcer 5000 costs $99,000 plus $25,000 for the management software.

ServGate makes N+I splash

ServGate introduced at NetWorld+Interop 2001 in Atlanta the SG2000H, a carrier-grade version of its enterprise data center device.

The new model supports 500 virtual firewalls; that is, it supports 500 separate sets of policies for individual customers.

The older edition acts as a single firewall.

The new device supports 1G bit/sec firewall throughput. By year-end, the device will also support virus scanning and VPNs.

The company claims its firewalls handle packet processing better than other devices because of a proprietary algorithm it uses to compare packets to firewall policies. As a firewall gets a packet, it checks whether a TCP session for that packet stream already exists. If not, it has to decide whether to block the packet or let it through by checking it against set firewall rules.

SG2000H is available in the fourth quarter for $75,000.

www.nexsi.com
www.ipolicynetworks.com
www.servgate.com