[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Internet Edge and Defense in Depth
- Subject: Internet Edge and Defense in Depth
- From: streiner at cluebyfour.org (Justin M. Streiner)
- Date: Tue, 6 Dec 2011 17:06:08 -0500 (EST)
- In-reply-to: <[email protected]>
- References: <[email protected]>
On Tue, 6 Dec 2011, Holmes,David A wrote:
> Some firewall vendors are proposing to collapse all Internet edge
> functions into a single device (border router, firewall, IPS, caching
> engine, proxy, etc.). A general Internet edge design principle has been
> the "defense in depth" concept. Is anyone collapsing all Internet edge
> functions into one device?
As others have said, this could make sense at the smaller end of the scale
(SOHO, branch offices, small shops, etc), but I haven't see an all-in-one
box that scales up to the traffic loads or handles things like routing
protcools especially well in a large network. The marketing folks will
often dance around the issue of throughput dropping as services or
modules are turned on, but that's a big problem. I'm perfectly happy
having border routers sitting at my borders, doing the routing, and
firewalls elsewhere, doing the firewalling :)
Another thing to remember is that existing router manufacturers have
gotten pretty good (a few exceptions aside) at building pretty stable
routing implementations. All-in-one box manufacturers that claim to be
able to handle IPv6, BGP, OSPF(v2/v3), etc are basically starting out from
scratch and don't have the benefit of the 10+ years of experience that
Cisco/Juniper/et al have in building routers.
jms