Defence in depth, diversity of defence

"The clever combatant looks to the effect of combined energy and does nort require too much from individuals..."
... or systems. Requiring too much from systems introduces significant risk.
This introduces the concept of dedicated functionality, a strategy where security devices serve a sole purpose.
For example, routers route traffic, and although you can add access control lists (to block RFC 1918 addresses), that does not make them firewalls.
You need to use real firewalls, access control devices that enforce policy through allow and block rules.
Firewalls also provide network address translation and maintain state-on connections, something traditional routers can't do, which provides for the analysis of packets at the network, transport and session layers for deeper protocol understanding.
Keeping track of these layers creates virtual sessions of connectionless protocols used by UDP and RPC applications.
Regarding "combined energy", convergence of security functions into unified threat management devices has gained momentum, especially for small and branch offices. These devices consolidate security functions (firewall, intrusion prevention, anti-virus capability, and Internet content, among others) in a box managed through an interface.
Other security strategies, defence in depth and diversity of defence, are important. Defence in depth creates concentric layers that an attacker must penetrate while we watch their activities (like a honeypot). Diversity of defence provides prevention and detection controls that work independently.
![]() |
Aircraft carriers rely on concentric circles of defence and variety of weapons |