I would argue that collapsing all of your policy evaluation and routing for a size/zone/area/whatever into one box is actually somewhat detrimental to stability (and consequently, security to a certain extent).
Cramming every little feature under the sun into one appliance makes for great glossy brochures and Powerpoint decks, but I just don't think it's practical. Take a LAMP hosting operation for example. Which will scale the furthest to handle the most amount of traffic and stateful sessions: iptables and snort on each multi-core server, or one massive central box with some interface hardware and Cavium Octeons. If built properly, my money's on the distributed setup. Cheers, jof
