A more robust kind of firewall than we are accustomed to might wind up serving as a comprehensive security overlay system for enterprises. We mentioned this last week when describing iPolicy's recently announced enterprise Layer 3 - 7 "intrusion prevention firewall."

IPolicy's device, which got its start in the carrier community, runs several security applications - but must only inspect a packet once to enforce rules for each.  It can reportedly also correlate information to identify multiple risks in a single event.

The iPolicy device reflects Gartner's June 2003 prediction, which we wrote about last fall, that traditional firewalls would be supplanted by deep-inspection firewalls combining network- and application-level filtering with anti-virus protection.

"Intrusion prevention systems and application-specific firewalls came about only because of failures in firewalls," said Richard Stiennon, vice president of security research at Gartner (and the analyst who made the prediction) in an interview last week.

Stiennon, who estimates that 98% of all businesses have firewalls, called the iPolicy system "network security nirvana."

He cites CheckPoint and NetScreen, which have introduced intrusion prevention devices and are moving toward integrating them with their firewalls, as evidence that more new-generation firewalls are coming.

Cisco, at this juncture, remains oriented toward sprinkling different types of security products throughout the network. On one hand, this seems more complex and expensive. On the other, though, there remains a single-point-of-failure consideration with the all-in-one approach.

Additional iPolicy architecture details:

* A Global Security Interface serves as a management interface into the centralized Global Security Administrator (GSA), a server software-based security policy "engine."

* The GSA sets and enforces rules for up to 1,000 intrusion prevention firewalls, called IP Enforcers.

* The GSA links to Local Security Supervisors (LSS) and the server software at your various sites. You can use LSSs to customize rules at each site, if appropriate.

* The LSSs connect to either the IP Enforcer 3400 (400M bit/sec, $18,000 to $20,000) or IP Enforcer 3100 (100M bit/sec, $8,000 to $10,000). These devices sit between your WAN access router and internal network, connecting to the "DMZ" of Web and authentication servers in the middle.

Steve Taylor is president of Distributed Networking Associates and publisher/editor-in-chief of Webtorials. Jim Metzler is vice president of Ashton, Metzler & Associates.