Jennifer Jabbusch, CISO of Carolina Advanced Digital, a network design and consulting firm, who is familiar with ProCurve's product line points out that the Threat Management Module doesn't process all the traffic traversing the switch, only the traffic that is sent between zones through the module, so the interzone traffic load may be far less than the total switch traffic. Jabbusch notes that deploying the Threat Management Module does require redesigning your network topology since instead of a physical choke point, a firewall with a limited number of interfaces through which traffic funnels through, the Threat Management Module can support many more interfaces--any interface on the switch. The increased flexibility, if you are careful with capacity planning, is pretty useful.
The Threat Management Module lists for $16,999 for firewall and VPN services. Adding IPS, with a capacity of 1.5 Gb/s, tacks on an addition $2,600 to the price bringing the total to $19,599, which includes one year of IPS signature updates. Subsequent three year updates list for $9,399. The bundled functionality comes at an attractive price compared to purchasing a firewall, VPN, and IPS separately were each appliance can start at $10,000, but the capacity of the Threat Management Module is relatively low considering the port density of the 8212 and 5400 switches.
Four Threat Management Modules can be added to the system and managed through ProCurve Immunity Manager in clusters or individually. The additional modules can be use for active/passive HA or simply to add capacity. Module installation is pretty flexible depending on your needs. In addition, the Threat Management Module can be partitioned into zones so access is controlled as it crosses internal boundaries in the network. Don't confuse zone access control with ProCurve NAC solution, however. The zone based access controls are really designed to act more like network firewalls rather than providing fine grained user based access controls.