Internet Edge and Defense in Depth
paul at paulgraydon.co.uk
Tue Dec 6 17:02:45 CST 2011
On 12/06/2011 11:16 AM, Holmes,David A wrote:
> Some firewall vendors are proposing to collapse all Internet edge functions into a single device (border router, firewall, IPS, caching engine, proxy, etc.). A general Internet edge design principle has been the "defense in depth" concept. Is anyone collapsing all Internet edge functions into one device?
Yikes... single point of failure. I really dislike the notion that all
the security comes down to a single potentially compromisable point.
Our security functions like IPS run separate to centralised logging,
etc. etc. so that if someone does happen to break in to a particular
point there are still further things they need to try to compromise
before they can have their wicked way, or whatever it is they want to do.
Sure the economies of a centralised box and the convenience are probably
tempting, and it's better than nothing, but I can't picture it actually
being an improvement over split out functions.
More information about the NANOG