On Tue, Dec 06, 2011 at 01:44:05PM -0800, Jonathan Lassoff wrote:
Cramming every little feature under the sun into one appliance makes for great glossy brochures and Powerpoint decks, but I just don't think it's practical.
1. It's an excellent way to create a single point-of-failure. 2. I prefer, when building defense-in-depth, to build the layers with different technology running on different operating systems on different architectures. There's no doubt this adds some complexity and that it requires judicious design to be scalable, maintainable, and so on. But it raises the bar for attackers considerably, and it gives defenders a fighting chance of discovering a breach in one layer before it becomes a breach in all layers. 3. One of the mistakes we all continue to make, whether we have our paws on integrated appliances or separate systems, is default-permit. We really need to make sure that the syntactic equivalent of "deny all from any to any" is the first rule installed in any of these, and then work from there. ---rsk p.s. In re Powerpoint, I've long held that the appropriate response to "I have a PowerPoint presentation..." is for everyone else in the room to find a strong rope and a sturdy tree, and do what must be done for the sake of humanity.