Internet Edge and Defense in Depth

Paul Graydon paul at
Tue Dec 6 23:02:45 UTC 2011

On 12/06/2011 11:16 AM, Holmes,David A wrote:
> Some firewall vendors are proposing to collapse all Internet edge functions into a single device (border router, firewall, IPS, caching engine, proxy, etc.). A general Internet edge design principle has been the "defense in depth" concept. Is anyone collapsing all Internet edge functions into one device?
> Regards,
> David
Yikes... single point of failure.  I really dislike the notion that all 
the security comes down to a single potentially compromisable point.  
Our security functions like IPS run separate to centralised logging, 
etc. etc. so that if someone does happen to break in to a particular 
point there are still further things they need to try to compromise 
before they can have their wicked way, or whatever it is they want to do.
Sure the economies of a centralised box and the convenience are probably 
tempting, and it's better than nothing, but I can't picture it actually 
being an improvement over split out functions.


More information about the NANOG mailing list