[147290] in North American Network Operators' Group
Re: Internet Edge and Defense in Depth
daemon@ATHENA.MIT.EDU (Jonathan Lassoff)
Tue Dec 6 16:45:14 2011
In-Reply-To: <CAA8=vb5PzUz=CxhMxE=B0fxXGVe1oNjRK6+4qpWqjpQvhmVRHw@mail.gmail.com>
Date: Tue, 6 Dec 2011 13:44:05 -0800
From: Jonathan Lassoff <jof@thejof.com>
To: David Swafford <david@davidswafford.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I would argue that collapsing all of your policy evaluation and routing for
a size/zone/area/whatever into one box is actually somewhat detrimental to
stability (and consequently, security to a certain extent).
Cramming every little feature under the sun into one appliance makes for
great glossy brochures and Powerpoint decks, but I just don't think it's
practical.
Take a LAMP hosting operation for example. Which will scale the furthest to
handle the most amount of traffic and stateful sessions: iptables and snort
on each multi-core server, or one massive central box with some interface
hardware and Cavium Octeons.
If built properly, my money's on the distributed setup.
Cheers,
jof
