Home page logo
/

nanog logo nanog mailing list archives

Re: Internet Edge and Defense in Depth
From: David Swafford <david () davidswafford com>
Date: Tue, 6 Dec 2011 16:37:24 -0500

They're proposing that so you buy their device, not renew support on
your existing ones :-D

Personally we just went through this w/ Palo Alto Networks.  We bought
a handful of their all-in-one firewalls simply for their web-filtering
functionality (replacing Bluecoats).  They pitched repetitively that
we should replace all of our firewalls with just their box and
collapse it.

I must say, from a support perspective, the concept of "this box does
web filtering, and that box handles the firewall of our public facing
servers" is worth it's weight in gold.  Web filtering alone can get
stupid complex if you let it.   Do you really want to troubleshoot an
inbound web server issue while trying to sort through rules like "Jeff
is allowed to get to Facebook, Marketing can get to Twitter, HR can
see everything, oh wait here's the DMZ rules....".

Boxes are cheap in an environment where staffing is lean.  In SoHo,
and smaller SMBs I could see it being different... we're on the larger
of the "medium business" / small Enterprise side of the fence.

David.


On Tue, Dec 6, 2011 at 4:16 PM, Holmes,David A <dholmes () mwdh2o com> wrote:
Some firewall vendors are proposing to collapse all Internet edge functions into a single device (border router, 
firewall, IPS, caching engine, proxy, etc.). A general Internet edge design principle has been the "defense in depth" 
concept. Is anyone collapsing all Internet edge functions into one device?

Regards,

David



 ________________________________
This communication, together with any attachments or embedded links, is for the sole use of the intended recipient(s) 
and may contain information that is confidential or legally protected. If you are not the intended recipient, you are 
hereby notified that any review, disclosure, copying, dissemination, distribution or use of this communication is 
strictly prohibited. If you have received this communication in error, please notify the sender immediately by return 
e-mail message and delete the original and all copies of the communication, along with any attachments or embedded 
links, from your system.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault