Do you need a special device to do leak prevention?

Can a firewall do leak prevention? In putting together an upcoming webinar this question was put forward.  There is justifiable reticence to adding yet another network device between the corporate network and the outside. Anything that is in-line needs to be highly available and redundant and never fail (well, hardly ever).  So why not ask your existing firewall to detect and block critical data when it is being transmitted via html, email, ftp, or instant message?   The answer is two-fold. The hard part of leak prevention is identifying and classifying data. No matter what, you need a new layer of discovery and technology to do that function. You also need a management console to allow policy to be crafted and set. The other problem is that most firewalls still do not do full packet inspection. If you want to intercept an email that contains sensitive information you need to be able to assemble that email from the payloads of multiple packets and compare it, using an algorithm, to known sensitive information hashes.   Most firewalls are not able to do this.  Keep an eye on the ones that do. They are most likely to start offering true leak prevention and that will be done though partnering with the leak prevention companies that have already figured out how to identify and classify data.