nanog mailing list archives

Re: Internet Edge and Defense in Depth

From: Jonathan Lassoff <jof () thejof com>
Date: Tue, 6 Dec 2011 13:44:05 -0800

I would argue that collapsing all of your policy evaluation and routing for
a size/zone/area/whatever into one box is actually somewhat detrimental to
stability (and consequently, security to a certain extent).

Cramming every little feature under the sun into one appliance makes for
great glossy brochures and Powerpoint decks, but I just don't think it's
practical.

Take a LAMP hosting operation for example. Which will scale the furthest to
handle the most amount of traffic and stateful sessions: iptables and snort
on each multi-core server, or one massive central box with some interface
hardware and Cavium Octeons.
If built properly, my money's on the distributed setup.

Cheers,
jof

Current thread:

Internet Edge and Defense in Depth Holmes,David A (Dec 06)
- Re: Internet Edge and Defense in Depth -Hammer- (Dec 06)
  - Re: Internet Edge and Defense in Depth JAMES MCMURRY (Dec 06)
    - Re: Internet Edge and Defense in Depth Tim Eberhard (Dec 06)
- Re: Internet Edge and Defense in Depth David Swafford (Dec 06)
  - Re: Internet Edge and Defense in Depth Jonathan Lassoff (Dec 06)
- Re: Internet Edge and Defense in Depth Justin M. Streiner (Dec 06)
- Re: Internet Edge and Defense in Depth Paul Graydon (Dec 06)
- Re: Internet Edge and Defense in Depth Robert Brockway (Dec 06)
  - Re: Internet Edge and Defense in Depth Dobbins, Roland (Dec 06)
  - Re: Internet Edge and Defense in Depth Mark Tinka (Dec 06)
    - Re: Internet Edge and Defense in Depth Mark Tinka (Dec 06)