Home page logo

nanog logo nanog mailing list archives

Re: Internet Edge and Defense in Depth
From: Paul Graydon <paul () paulgraydon co uk>
Date: Tue, 06 Dec 2011 13:02:45 -1000

On 12/06/2011 11:16 AM, Holmes,David A wrote:
Some firewall vendors are proposing to collapse all Internet edge functions into a single device (border router, firewall, IPS, 
caching engine, proxy, etc.). A general Internet edge design principle has been the "defense in depth" concept. Is 
anyone collapsing all Internet edge functions into one device?



Yikes... single point of failure. I really dislike the notion that all the security comes down to a single potentially compromisable point. Our security functions like IPS run separate to centralised logging, etc. etc. so that if someone does happen to break in to a particular point there are still further things they need to try to compromise before they can have their wicked way, or whatever it is they want to do. Sure the economies of a centralised box and the convenience are probably tempting, and it's better than nothing, but I can't picture it actually being an improvement over split out functions.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]