nanog mailing list archives
Re: Internet Edge and Defense in Depth
From: "Justin M. Streiner" <streiner () cluebyfour org>
Date: Tue, 6 Dec 2011 17:06:08 -0500 (EST)
On Tue, 6 Dec 2011, Holmes,David A wrote:
Some firewall vendors are proposing to collapse all Internet edge functions into a single device (border router, firewall, IPS, caching engine, proxy, etc.). A general Internet edge design principle has been the "defense in depth" concept. Is anyone collapsing all Internet edge functions into one device?
As others have said, this could make sense at the smaller end of the scale (SOHO, branch offices, small shops, etc), but I haven't see an all-in-one box that scales up to the traffic loads or handles things like routing protcools especially well in a large network. The marketing folks will often dance around the issue of throughput dropping as services or modules are turned on, but that's a big problem. I'm perfectly happy having border routers sitting at my borders, doing the routing, and firewalls elsewhere, doing the firewalling :)
Another thing to remember is that existing router manufacturers have gotten pretty good (a few exceptions aside) at building pretty stable routing implementations. All-in-one box manufacturers that claim to be able to handle IPv6, BGP, OSPF(v2/v3), etc are basically starting out from scratch and don't have the benefit of the 10+ years of experience that Cisco/Juniper/et al have in building routers.
jms
Current thread:
- Internet Edge and Defense in Depth Holmes,David A (Dec 06)
- Re: Internet Edge and Defense in Depth -Hammer- (Dec 06)
- Re: Internet Edge and Defense in Depth JAMES MCMURRY (Dec 06)
- Re: Internet Edge and Defense in Depth Tim Eberhard (Dec 06)
- Re: Internet Edge and Defense in Depth JAMES MCMURRY (Dec 06)
- Re: Internet Edge and Defense in Depth David Swafford (Dec 06)
- Re: Internet Edge and Defense in Depth Jonathan Lassoff (Dec 06)
- Re: Internet Edge and Defense in Depth Justin M. Streiner (Dec 06)
- Re: Internet Edge and Defense in Depth Paul Graydon (Dec 06)
- Re: Internet Edge and Defense in Depth Robert Brockway (Dec 06)
- Re: Internet Edge and Defense in Depth Dobbins, Roland (Dec 06)
- Re: Internet Edge and Defense in Depth Mark Tinka (Dec 06)
- Re: Internet Edge and Defense in Depth Mark Tinka (Dec 06)
- Re: Internet Edge and Defense in Depth -Hammer- (Dec 06)