Internet Edge and Defense in Depth

Robert Brockway robert at
Tue Dec 6 23:20:05 UTC 2011

On Tue, 6 Dec 2011, Holmes,David A wrote:

> Some firewall vendors are proposing to collapse all Internet edge 
> functions into a single device (border router, firewall, IPS, caching 
> engine, proxy, etc.). A general Internet edge design principle has been 
> the "defense in depth" concept. Is anyone collapsing all Internet edge 
> functions into one device?

Hi David.  A principle of network firewall design has long been that you 
want to minimise services (proxy, etc) running there as they can be a 
vector for attack against the firewall itself.

In the end this is about risk analysis.  In most cases I would recommend 
against loading the firewall with additional functionality, for a variety 
of reasons.  In some cases it may make sense to do so.

This is completely separate to whether servers should even have a firewall 
or IPS in front of them.  That's another (interesting) discussion :)



Email: robert at		Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Director, Software in the Public Interest (
Free & Open Source: The revolution that quietly changed the world
"One ought not to believe anything, save that which can be proven by nature and the force of reason" -- Frederick II (26 December 1194 – 13 December 1250)

More information about the NANOG mailing list