Cisco is entering the intrusion-prevention system market with five appliances and software that adds IPS capabilities to Cisco switches, firewalls and routers.

The network-based IPS appliances, set for delivery next month, will range from a low-end 80Mbit/s up to 7Gbit/s. The ability to identify and block network attacks will work identically across the Cisco appliances, routers, switches and the PIX firewall.

The new lineup will pose an obvious threat to a growing field of competitors that includes Internet Security Systems, McAfee, Symantec, 3Com's TippingPoint, Top Layer Networks and start-ups such as V-Secure Technologies.

Concern about computer worms and automated attacks is prompting IT managers to deploy IPSs both at the Internet perimeter and inside the corporate LAN, in spite of the danger of false positives that might cause IPSes to block legitimate traffic.

Cisco, which also announced the VPN 3000 Concentrator for combined SSL or IPSec-based tunneling, calls the security products rollout its "adaptive threat defense", says Jayshree Ullal, senior vice president of Cisco's security technology group.

The design of the Cisco IPS will include the ability to generate a "risk rating of the event and asset value of the target" when an attack is identified and blocked, Ullal says. Like other IPS appliances, the Cisco line will be able to work in a passive-detection mode like an intrusion-detection system.

Ullal says Cisco's IPS is intended to function well in VoIP networks without disrupting traffic. "The IPS is going to protect voice gateways from attack," she says.

Industry analysts say Cisco's push into IPS is a reaction to growing market demand for more proactive options than that of intrusion detection. "So far, they've only had detection capability," says Paul Stamp, an analyst with Forrester. "But Cisco has a good reputation in detection, so IPS shouldn't be too hard for them."

Some technical experts and IT managers who have gained hands-on experience with network-based IPSs say the only way to find out if an IPS will disrupt network traffic is to put it in line and hold your breath.

"In our labs, we can create false-positives tests, but the only way to be sure is to put one of these things in your network and watch it for a while," says Bob Walder, president of NSS Group, a British equipment-testing organisation with labs in the south of France.

NSS, which has tested both host and network-based IPSs and IDSs for accuracy in detecting hundreds of types of attacks, also looks for latency problems caused by IPSs struggling to keep up with examining traffic flows. "When you go in-line with monitoring or blocking, you have a huge signature set. It can be difficult for the IPS to keep up," Walder says. In general, network managers should anticipate that an IPS will not add more than 300ms of latency. But if IPS devices are deployed at LAN segments, which is increasingly the case, the traffic slowdown might be more noticeable. "I've seen a file copy that would have ordinarily taken 40 seconds take several minutes as it went through two or three IPSs," he says.

In addition to its IPS rollout, Cisco is also releasing the PIX Security Appliance 7.0. This software-based change for the PIX VPN/firewall lets it perform application inspection and prevent some types of spyware and peer-to-peer network traffic, and provide "logical firewalls" within a single firewall. "You can create extranet and intranet zones," Ullal says, by portioning internal firewalls with PIX Security Appliance.

She acknowledges this was Cisco's first step into adding application-layer protections to the PIX firewall, and the PIX Security Appliance 7.0 wouldn't detect or block cross-site scripting, a function available in most application firewalls, such as those from Teros and Imperva.