mailing list archives
Re: Internet Edge and Defense in Depth
From: Paul Graydon <paul () paulgraydon co uk>
Date: Tue, 06 Dec 2011 13:02:45 -1000
On 12/06/2011 11:16 AM, Holmes,David A wrote:
Yikes... single point of failure. I really dislike the notion that all
the security comes down to a single potentially compromisable point.
Our security functions like IPS run separate to centralised logging,
etc. etc. so that if someone does happen to break in to a particular
point there are still further things they need to try to compromise
before they can have their wicked way, or whatever it is they want to do.
Sure the economies of a centralised box and the convenience are probably
tempting, and it's better than nothing, but I can't picture it actually
being an improvement over split out functions.
Some firewall vendors are proposing to collapse all Internet edge functions into a single device (border router, firewall, IPS,
caching engine, proxy, etc.). A general Internet edge design principle has been the "defense in depth" concept. Is
anyone collapsing all Internet edge functions into one device?