Internal firewalls are nothing new. For as long as I can remember, WatchGuard (among others) has been pointing out to potential customers that as well as providing a barrier between the LAN and the Internet, you can use exactly the same technology to protect one department's LAN from another's.

And in fact the concept of LAN security is nothing new to Check Point - as long ago as 1998 Xylan were telling us how you could interface their switches to Check Point firewall logic to provide neat tricks like VLAN admission to switching infrastructures.

Obviously InterSpect takes the story further up the ISO stack - VLAN admission and traditional firewalls hover around layers two and three, whereas defending against worms and application-specific attacks goes all the way up to layer six or seven in some cases. But the concept is the same. Someone's suddenly remembered that technology you use at the edge of the network can be used equally well within the corporate network too.

The problem I have with InterSpect is that it's a piece of software running on an appliance (basically a PC server), which sits in the network and ties the various segments together. I can imagine the network guy sat with the Check Point salesman: "So, you're asking me to unplug the network cables from my central wire-speed, multi-gigabit switch, and plug them into a PC instead?". The top-end InterSpect box is specified as having 1Gbit/sec throughputs and a limit of ten 1Gbit/sec ports - which by my maths means a 90 percent drop in performance when compared to a wire-speed switch with ten 1Gbit/sec ports.

Of course, you're compromising speed against protection; in principle your network goes slower, but you have a much better level of protection than you had before. I can't help thinking, though, that this type of device is a step backwards. When vendors such as Xylan were starting to bring out switching routers that ran at the proper speeds and interfaced to external devices (including Check Point ones), this struck me as a revelation - you're getting speed when you can, and only slowing down when there's something you need to check with an external box.

Frankly, though, inserting what is effectively a PC into the middle of the network to provide firewall functionality between segments appears to be a step backwards.