On Thu, Jan 05, 2012 at 10:22:55AM -0500, Rich Kulawiec wrote:
On Tue, Dec 06, 2011 at 01:44:05PM -0800, Jonathan Lassoff wrote:
Cramming every little feature under the sun into one appliance makes for great glossy brochures and Powerpoint decks, but I just don't think it's practical.
1. It's an excellent way to create a single point-of-failure.
2. I prefer, when building defense-in-depth, to build the layers with different technology running on different operating systems on different architectures. There's no doubt this adds some complexity and that it requires judicious design to be scalable, maintainable, and so on. But it raises the bar for attackers considerably, and it gives defenders a fighting chance of discovering a breach in one layer before it becomes a breach in all layers.
3. One of the mistakes we all continue to make, whether we have our paws on integrated appliances or separate systems, is default-permit. We really need to make sure that the syntactic equivalent of "deny all from any to any" is the first rule installed in any of these, and then work from there.
p.s. In re Powerpoint, I've long held that the appropriate response to "I have a PowerPoint presentation..." is for everyone else in the room to find a strong rope and a sturdy tree, and do what must be done for the sake of humanity.
"Power corrupts. PowerPoint corrupts absolutely." As regards avoidance of SPOFs, I also prefer multiple layers in different technologies &c. A monoculture is horribly vulnerable. I grant that network hardware isn't exactly Ireland just before the potato famine, but the parallels are there and applicable in at least some senses. -- Mike Andrews, W5EGO mikea@mikea.ath.cx Tired old sysadmin