On Jan 10, 2010, at 10:33 AM, Christopher Morrow wrote:
separate the portions of the pie... only let the attack break the minimal portion of your deployment. Use the right tool in the right place.
An excellent point. A Web front-end server should be that - merely the front-end. Situationally-appropriate functional separation is a key architectural principle. Combine that with the measures outlined in <http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html>, coupled with a functionally-separated, bulkheaded DNS infrastructure pictured in <http://files.me.com/roland.dobbins/m4g34u>, and one will end up with a much more robust, scalable, and defensible system. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken