Internet Edge and Defense in Depth

Tim Eberhard xmin0s at gmail.com
Tue Dec 6 23:13:14 UTC 2011


To echo what James has already said..

I would say it's possible on the low/medium size enterprise network
market. With that stated 70-80% of the time it's not designed
correctly or a vendor issue pops up causing them to disable the
feature.

Careful planning must be done ahead of time. When looking at the spec
sheets you can't look at the numbers and take them for face value. In
most cases those numbers were achieved when *only* running that
specific feature.

So if a vendor claims 90meg of IPS throughput, 500meg of firewall
throughput and 100meg of UTM. Chances are that 90meg of IPS traffic
will take the box to it's knees. So if you're planning using the data
sheet numbers you've most likely already failed.

Plan carefully, test throughly, and in the end..you still may hit a
bug or unexpected show stopper. I'd rather use the best tool for the
job rather than jam everything into once box so I can share a
chassis...

Just my two cents,
-Tim Eberhard

On Tue, Dec 6, 2011 at 3:32 PM, JAMES MCMURRY <jim at miltonsecurity.com> wrote:
> I have seen at quite a few of our customers locations, starting out with a lofty goal of putting everything in a single box (UTM) and turning every single option on.
>
> In ~ 30% of the firms who do so it works out ok (not great, but it works).  In the majority, the customer winds up turning features off one by one, and moving those to another system.
>
>
> Jim
>
>
> On Dec 6, 2011, at 1:25 PM, -Hammer- wrote:
>
>> I personally have not seen it done in large environments. Hardware isn't there yet. I've seen it done in small business environments. Not a fan of the idea.
>>
>> -Hammer-
>>
>> "I was a normal American nerd"
>> -Jack Herer
>>
>>
>>
>> On 12/06/2011 03:16 PM, Holmes,David A wrote:
>>> Some firewall vendors are proposing to collapse all Internet edge functions into a single device (border router, firewall, IPS, caching engine, proxy, etc.). A general Internet edge design principle has been the "defense in depth" concept. Is anyone collapsing all Internet edge functions into one device?
>>>
>>> Regards,
>>>
>>> David
>>>
>>>
>>>
>>>   ________________________________
>>> This communication, together with any attachments or embedded links, is for the sole use of the intended recipient(s) and may contain information that is confidential or legally protected. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, dissemination, distribution or use of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by return e-mail message and delete the original and all copies of the communication, along with any attachments or embedded links, from your system.
>>>
>
>




More information about the NANOG mailing list