A multi-tenant firewall for an MSSP

Blake Dunlap ikiris at gmail.com
Tue Aug 18 19:32:09 UTC 2015


Since no one else has mentioned it, I'll dive on that fire.

Be careful when setting up a multi-tenant security solution that you
are not accidentally selling "DoS as a Service" to your clients. State
is evil, and state sharing with other targets is dangerous. Target
sharing with other targets that are outsourcing their security can get
increasingly scary especially if one of these clients is a juicy
target. Make sure you have the infrastructure in place to quickly
isolate your clients so that they do not fate share if they become in
the focus of DoS attacks. This can mean isolated infrastructure for
those you wish to keep up, or sacrificial infrastructure for those you
are willing to let drop for the greater good.

-Blake

On Tue, Aug 18, 2015 at 10:38 AM, Eugeniu Patrascu <eugen at imacandi.net> wrote:
> On Mon, Aug 17, 2015 at 7:46 AM, Ramy Hashish <ramy.ihashish at gmail.com>
> wrote:
>
>> Hello All,
>>
>> We are planning to implement a multi-tenant FW/UTM and start providing
>> security as a service, I would like to hear if anybody had experience on
>> this, and if there are any recommendations for the UTM's vendor.
>>
>
> Check Point VS might be a good fit. Also there is McAfee NGFW that can be
> used as a multi-tenant solution.
>
> Other solutions are Fortigate (what you mentioned), ASA w/ contexts (not
> sure about UTM support in contexts though).
>
>
>> People/customers here are more familiar with the Fortigate, however, we
>> need to build a well-rounded solution that suits wide range of enterprises'
>> business needs.
>>
>
> I think that you first define what the most wanted needs of your clients
> are and work from that.



More information about the NANOG mailing list