On 12/06/2011 11:16 AM, Holmes,David A wrote:
Some firewall vendors are proposing to collapse all Internet edge functions into a single
device (border router, firewall, IPS, caching engine, proxy, etc.). A general Internet
edge design principle has been the "defense in depth" concept. Is anyone
collapsing all Internet edge functions into one device?
Regards,
David
Yikes... single point of failure. I really dislike the notion that all
the security comes down to a single potentially compromisable point.
Our security functions like IPS run separate to centralised logging,
etc. etc. so that if someone does happen to break in to a particular
point there are still further things they need to try to compromise
before they can have their wicked way, or whatever it is they want to do.
Sure the economies of a centralised box and the convenience are probably
tempting, and it's better than nothing, but I can't picture it actually
being an improvement over split out functions.
Paul
