[147292] in North American Network Operators' Group
Re: Internet Edge and Defense in Depth
daemon@ATHENA.MIT.EDU (Justin M. Streiner)
Tue Dec 6 17:07:19 2011
Date: Tue, 6 Dec 2011 17:06:08 -0500 (EST)
From: "Justin M. Streiner" <streiner@cluebyfour.org>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <922ACC42D498884AA02B3565688AF995340255F77F@USEXMBS01.mwd.h2o>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, 6 Dec 2011, Holmes,David A wrote:
> Some firewall vendors are proposing to collapse all Internet edge
> functions into a single device (border router, firewall, IPS, caching
> engine, proxy, etc.). A general Internet edge design principle has been
> the "defense in depth" concept. Is anyone collapsing all Internet edge
> functions into one device?
As others have said, this could make sense at the smaller end of the scale
(SOHO, branch offices, small shops, etc), but I haven't see an all-in-one
box that scales up to the traffic loads or handles things like routing
protcools especially well in a large network. The marketing folks will
often dance around the issue of throughput dropping as services or
modules are turned on, but that's a big problem. I'm perfectly happy
having border routers sitting at my borders, doing the routing, and
firewalls elsewhere, doing the firewalling :)
Another thing to remember is that existing router manufacturers have
gotten pretty good (a few exceptions aside) at building pretty stable
routing implementations. All-in-one box manufacturers that claim to be
able to handle IPv6, BGP, OSPF(v2/v3), etc are basically starting out from
scratch and don't have the benefit of the 10+ years of experience that
Cisco/Juniper/et al have in building routers.
jms
