Christopher Moody

St. Bernard's iPrism 1200 is a 1U rack-mountable appliance. With clearly labelled network ports, it is very simple to connect to the network. St. Bernard also sells the iPrism 3000, which is aimed at larger organizations, with Gigabit Ethernet.

The smallest appliance on test, Blue Coat's ProxySG 200 is half the width of standard rack mount equipment and uses a notebook-style power supply. Rather than a pure web filtering appliance, the ProxySG 200 is a full-fledged web proxy, with URL filtering built in. This makes it quick to process requests and gives you a single point of management for your proxy and web filtering.

Finjan Software's NG-5100 can be deployed as a single box, but the system supports a distributed environment where one appliance serves as a policy server, while others can scan through load balancing. It can sit as either a standard web proxy, in which case you have to reconfigure all client computers, or as a transparent web proxy.

Clearswift's MIMEsweeper for Web applies the company's email filtering system to the internet. It will install on a single Windows 2000/2003 server and works as a web proxy, scanning all requests.

NetIQ's WebMarshal now supports all versions of Windows server. The installation is simple, but you need an SQL server on the network. While this means that you have to factor this cost into the purchase, it means you can distribute the WebMarshal install for better performance and scalability. You can also run the database on the same PC, as we did for our test.

Pearl Software's Echo 6 works in a slightly different way to the other products on test. Rather than blocking web traffic at the gateway, Echo uses a client/server approach. The server dictates the policy, while clients installed on each PC control internet access locally. While the server is very quick and easy to install, there's quite a lot of leg work involved in distributing the client to all of your network's computers.

SurfControl's Web Filter is, perhaps, the best known web filtering product on the market. We reviewed the Windows version of the product, but there are also versions available for Cisco CE, Check Point, Microsoft ISA and several third-party appliances, including Blue Coat and Finjan, both in this test. The standard Windows version is flexible – but you will need one copy of the filter per network.

Websense's Web Filtering application is part of its Websense Enterprise suite of tools. It requires a copy of Windows 2000/2003 Server and a compliant web server. We used it with Microsoft's IIS, but you can also use Apache.

Barbedwire's 1U DPI 100e is a firewall product that uses a 2GHz Celeron processor and 256MB RAM to provide enough power to run its IDS/IPS services.

The APD 1000 is a 1U, Pentium 4-based server running Linux. As such, the first configuration steps are to connect a keyboard and mouse, and enter a management IP address for its management Fast Ethernet interface. It's quick and easy to do, and then gives access to the ADP 1000's web-based management, the Dashboard.

McAfee's IntruShield 2700 fits into the middle of its range, offering 600Mbps of throughput. It has six Fast Ethernet and two GBIC ports for detection, and three Fast Ethernet ports for responses. You can install it in either tap mode or inline mode, where the box sits between the router and main network. In inline mode, it's recommended that you use the appliance's high-availability mode.

Symantec's NS 7120 uses a similar-looking chassis to its firewall range, complete with the LCD control panel. This means it is the easiest device to initially configure, as you can set an IP address within minutes of turning it on.

This is a 2U chassis designed to block attacks before they cause damage. It sits between the WAN and firewall, rather than inside the firewall as with other products.

The Proventia G400 might look like a standard rack-mount Intel-based server, but it's a lot more than that. The hardware was specifically chosen, drivers written for it and a network agent pre-installed. As a result, it can cope with up to 400Mbps of throughput and monitor up to four network segments using its four copper and four fiber Gigabit Ethernet ports.

NFR's Sentivist IPS uses a combination of hardware sensors, and software for managing. It ships with a Java-based management console, which is good for monitoring and configuring individual sensors.

This is part of SonicWall's security platform appliance range. It's the top-of-the-line model, featuring six Gigabit Ethernet ports and an Intel Xeon processor. Technically, it's not actually an IPS appliance, but more of a firewall with IPS abilities. That said, you can turn the main firewall off and operate it in-line with another firewall.

Sourcefire's Intrusion Sensor 2000 (IS2000) is an Intel-based appliance that runs a hardened version of Linux and the intrusion detection software. It uses two Fast Ethernet interfaces and has a throughput of 100Mbps.

This IPS (the renamed UnityOne-50) is the baby of TippingPoint's range, able to support throughput of up to 50Mbps – but the firm has a full range of products, able to cope with throughput up to five gigabits. The TippingPoint 50 has dual Fast Ethernet ports, so it can work inline with a connection and a dedicated management port.

This might not be the most attractive appliance, with a bright green front, but its flexible architecture is likely to win it support. It is designed to sit internally or between the firewall and router and can support up to 100Mbps of network traffic. It comes with two Fast Ethernet ports and operates in-line with a network connection. There is also a dedicated management port.

XSGuard's C-Series is the easiest product to install. Just plug the internal side of your network into the marked Fast Ethernet port and the external side in the other marked port. Turn the box on and it connects to the XSGuard servers and starts filtering traffic at 100Mbps.