[147300] in North American Network Operators' Group
Re: Internet Edge and Defense in Depth
daemon@ATHENA.MIT.EDU (Robert Brockway)
Tue Dec 6 18:21:38 2011
Date: Wed, 7 Dec 2011 09:20:05 +1000 (EST)
From: Robert Brockway <robert@timetraveller.org>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <922ACC42D498884AA02B3565688AF995340255F77F@USEXMBS01.mwd.h2o>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--8323329-1375887342-1323213560=:8973
Content-Type: TEXT/PLAIN; CHARSET=UTF-8; FORMAT=flowed
Content-Transfer-Encoding: 8BIT
Content-ID: <alpine.DEB.2.00.1112070919291.8973@castor.opentrend.net>
On Tue, 6 Dec 2011, Holmes,David A wrote:
> Some firewall vendors are proposing to collapse all Internet edge
> functions into a single device (border router, firewall, IPS, caching
> engine, proxy, etc.). A general Internet edge design principle has been
> the "defense in depth" concept. Is anyone collapsing all Internet edge
> functions into one device?
Hi David. A principle of network firewall design has long been that you
want to minimise services (proxy, etc) running there as they can be a
vector for attack against the firewall itself.
In the end this is about risk analysis. In most cases I would recommend
against loading the firewall with additional functionality, for a variety
of reasons. In some cases it may make sense to do so.
This is completely separate to whether servers should even have a firewall
or IPS in front of them. That's another (interesting) discussion :)
Cheers,
Rob
--
Email: robert@timetraveller.org Linux counter ID #16440
IRC: Solver (OFTC & Freenode)
Web: http://www.practicalsysadmin.com
Director, Software in the Public Interest (http://spi-inc.org/)
Free & Open Source: The revolution that quietly changed the world
"One ought not to believe anything, save that which can be proven by nature and the force of reason" -- Frederick II (26 December 1194 – 13 December 1250)
--8323329-1375887342-1323213560=:8973--
