In a message written on Wed, Dec 07, 2011 at 10:19:58AM -0800, Holmes,David A wrote:
My concern is whether or not consolidating border router and firewall functions in the same device violates, if not explicitly, then the spirit of the "defense in depth" Internet edge design principle. Here is a link to a Department of Homeland Security document where this is discussed (for control systems, but has general application), but not addressed directly: http://www.inl.gov/technicalpublications/Documents/3375141.pdf
I don't think you're looking at defense in depth in the right way, and thus your question doesn't quite make sense. If you look at the attack vector described in the paper you link it shows what many of us in the ISP world call the "soft gooey center". As you see the attacker finds a way to bypass the corporate firewall, and once inside the network there are no further controls to prevent the attacker from hopping between corporate desktops, corporate servers, and eventually a SCADA network. Defense in depth is about internal compartmentalization. The diagram shows deploying additional firewalls between corporate LAN users and corporate servers, and then again between corproate servers and SCADA networks. The idea is even if the attacker is able to bypass one firewall, they have to pass through a second to get to another zone. Even with a defense in depth design with these multiple firewalls (really, access control points), there is still the question you ask, should the checkpoint devices be multiple boxes (e.g. firewall and IDS in separate chassis) or unified boxes (firewall+IDS in a single box). It's really a totally orthogonal question. What defense in depth does not allow you to do (from my understanding) is consolidate these multiple firewall functions into one large virtual firewall, because then you're back to a single point of failure/control. To summarize, "defense in depth" requires access control and monitoring between different security zones, and that those access control devices be not shared with devices handling other zones. The devices themselves can include multiple functions on a single device without affecting the strategy. Is stacking functions on one device a good idea? Well, millions of residential users do it (firewall+ids+ips all in one), and plenty of corporate users have had trouble scaling all in one devices. Multiple devices provides greater opportunity to select best in breed, but adds more failure points and more things to manage and coorolate. Which tradeoffs are best for you and your network is something that can't be easily answered with a rule, or by someone else on the Internet. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/