Internet Edge and Defense in Depth
Justin M. Streiner
streiner at cluebyfour.org
Tue Dec 6 22:06:08 UTC 2011
On Tue, 6 Dec 2011, Holmes,David A wrote:
> Some firewall vendors are proposing to collapse all Internet edge
> functions into a single device (border router, firewall, IPS, caching
> engine, proxy, etc.). A general Internet edge design principle has been
> the "defense in depth" concept. Is anyone collapsing all Internet edge
> functions into one device?
As others have said, this could make sense at the smaller end of the scale
(SOHO, branch offices, small shops, etc), but I haven't see an all-in-one
box that scales up to the traffic loads or handles things like routing
protcools especially well in a large network. The marketing folks will
often dance around the issue of throughput dropping as services or
modules are turned on, but that's a big problem. I'm perfectly happy
having border routers sitting at my borders, doing the routing, and
firewalls elsewhere, doing the firewalling :)
Another thing to remember is that existing router manufacturers have
gotten pretty good (a few exceptions aside) at building pretty stable
routing implementations. All-in-one box manufacturers that claim to be
able to handle IPv6, BGP, OSPF(v2/v3), etc are basically starting out from
scratch and don't have the benefit of the 10+ years of experience that
Cisco/Juniper/et al have in building routers.
jms
More information about the NANOG
mailing list