Finjan Software's NG-5100 can be deployed as a single box, but the system supports a distributed environment where one appliance serves as a policy server, while others can scan through load balancing. It can sit as either a standard web proxy, in which case you have to reconfigure all client computers, or as a transparent web proxy.

As a web filtering product it works in a slightly different way to the others on test. Rather than develop its own software, Finjan lets you use SurfControl or Secure Computing's scanning engines. It also lets you use both together.

It's quite easy to configure in the first instance, thanks to the web-based setup wizard. A few clicks sort out the basic configuration and you choose the scanning engines you want to use.

Using two scanners means you're less likely to have a hole in the filtering, but requires that you buy licenses for both products. For web filtering this is probably overkill, as well. It makes more sense with the appliance's antivirus support, as running two engines means that you're less likely to miss a virus. The NG-5100 also has anti-spyware, as well as application-layer blocking to protect against unknown attacks.

The web-based console is simple and allows blocking by category, pulling in categories from the URL database. Rules can also use more than one scanning engine. So you can create almost any rule to enforce your policy.

If you want to add protection into the middle of the enterprise, Finjan's one-box approach is a good choice. But if you're looking to add web filtering to an existing secure infrastructure, there are cheaper and easier ways to do it.