[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Internet Edge and Defense in Depth

Subject: Internet Edge and Defense in Depth
From: jof at thejof.com (Jonathan Lassoff)
Date: Tue, 6 Dec 2011 13:44:05 -0800
In-reply-to: <CAA8=vb5PzUz=CxhMxE=B0fxXGVe1oNjRK6+4qpWqjpQvhmVRHw@mail.gmail.com>
References: <[email protected]> <CAA8=vb5PzUz=CxhMxE=B0fxXGVe1oNjRK6+4qpWqjpQvhmVRHw@mail.gmail.com>

I would argue that collapsing all of your policy evaluation and routing for
a size/zone/area/whatever into one box is actually somewhat detrimental to
stability (and consequently, security to a certain extent).

Cramming every little feature under the sun into one appliance makes for
great glossy brochures and Powerpoint decks, but I just don't think it's
practical.

Take a LAMP hosting operation for example. Which will scale the furthest to
handle the most amount of traffic and stateful sessions: iptables and snort
on each multi-core server, or one massive central box with some interface
hardware and Cavium Octeons.
If built properly, my money's on the distributed setup.

Cheers,
jof

References:
- Internet Edge and Defense in Depth
  - From: dholmes at mwdh2o.com (Holmes,David A)
- Internet Edge and Defense in Depth
  - From: david at davidswafford.com (David Swafford)

Prev by Date: CMDB on the cheap...
Next by Date: [[email protected]: C|Net Download.Com is now bundling Nmap with malware!]
Previous by thread: Internet Edge and Defense in Depth
Next by thread: Internet Edge and Defense in Depth
Index(es):
- Date
- Thread