nanog mailing list archives

Re: Internet Edge and Defense in Depth

From: Paul Graydon <paul () paulgraydon co uk>
Date: Tue, 06 Dec 2011 13:02:45 -1000

On 12/06/2011 11:16 AM, Holmes,David A wrote:

Some firewall vendors are proposing to collapse all Internet edge functions into a single device (border router, firewall, IPS, 
caching engine, proxy, etc.). A general Internet edge design principle has been the "defense in depth" concept. Is 
anyone collapsing all Internet edge functions into one device?

Regards,

David

Yikes... single point of failure. I really dislike the notion that allthe security comes down to a single potentially compromisable point.Our security functions like IPS run separate to centralised logging,etc. etc. so that if someone does happen to break in to a particularpoint there are still further things they need to try to compromisebefore they can have their wicked way, or whatever it is they want to do.Sure the economies of a centralised box and the convenience are probablytempting, and it's better than nothing, but I can't picture it actuallybeing an improvement over split out functions.


Paul

Current thread:

Internet Edge and Defense in Depth Holmes,David A (Dec 06)
- Re: Internet Edge and Defense in Depth -Hammer- (Dec 06)
  - Re: Internet Edge and Defense in Depth JAMES MCMURRY (Dec 06)
    - Re: Internet Edge and Defense in Depth Tim Eberhard (Dec 06)
- Re: Internet Edge and Defense in Depth David Swafford (Dec 06)
  - Re: Internet Edge and Defense in Depth Jonathan Lassoff (Dec 06)
- Re: Internet Edge and Defense in Depth Justin M. Streiner (Dec 06)
- Re: Internet Edge and Defense in Depth Paul Graydon (Dec 06)
- Re: Internet Edge and Defense in Depth Robert Brockway (Dec 06)
  - Re: Internet Edge and Defense in Depth Dobbins, Roland (Dec 06)
  - Re: Internet Edge and Defense in Depth Mark Tinka (Dec 06)
    - Re: Internet Edge and Defense in Depth Mark Tinka (Dec 06)