Internet Edge and Defense in Depth

Justin M. Streiner streiner at cluebyfour.org
Tue Dec 6 22:06:08 UTC 2011


On Tue, 6 Dec 2011, Holmes,David A wrote:

> Some firewall vendors are proposing to collapse all Internet edge 
> functions into a single device (border router, firewall, IPS, caching 
> engine, proxy, etc.). A general Internet edge design principle has been 
> the "defense in depth" concept. Is anyone collapsing all Internet edge 
> functions into one device?

As others have said, this could make sense at the smaller end of the scale 
(SOHO, branch offices, small shops, etc), but I haven't see an all-in-one 
box that scales up to the traffic loads or handles things like routing 
protcools especially well in a large network.  The marketing folks will 
often dance around the issue of throughput dropping as services or 
modules are turned on, but that's a big problem.  I'm perfectly happy 
having border routers sitting at my borders, doing the routing, and 
firewalls elsewhere, doing the firewalling :)

Another thing to remember is that existing router manufacturers have 
gotten pretty good (a few exceptions aside) at building pretty stable 
routing implementations.  All-in-one box manufacturers that claim to be 
able to handle IPv6, BGP, OSPF(v2/v3), etc are basically starting out from 
scratch and don't have the benefit of the 10+ years of experience that 
Cisco/Juniper/et al have in building routers.

jms




More information about the NANOG mailing list