A multi-tenant firewall for an MSSP

Edward Dore edward.dore at freethought-internet.co.uk
Tue Aug 18 21:30:28 UTC 2015


On 18 Aug 2015, at 20:48, J. Oquendo <joquendo at e-fensive.net> wrote:

> On Tue, 18 Aug 2015, Blake Dunlap wrote:
> 
>> Since no one else has mentioned it, I'll dive on that fire.
>> 
>> Be careful when setting up a multi-tenant security solution that you
>> are not accidentally selling "DoS as a Service" to your clients. State
>> is evil, and state sharing with other targets is dangerous. Target
>> sharing with other targets that are outsourcing their security can get
>> increasingly scary especially if one of these clients is a juicy
>> target. Make sure you have the infrastructure in place to quickly
>> isolate your clients so that they do not fate share if they become in
>> the focus of DoS attacks. This can mean isolated infrastructure for
>> those you wish to keep up, or sacrificial infrastructure for those you
>> are willing to let drop for the greater good.
>> 
>> -Blake
>> 
> 
> Unsure what you meant by this. In a multi-tenant firewall
> implementation (as far as I envision it), all tenants would
> occupy different IP space so I don't get how any of the
> state sessions would be affected. I'd be more concerned
> with not enough sockets. 
> 
> Palo Alto has a virtual system set up built specifically
> for this:
> 
> https://www.paloaltonetworks.com/products/features/virtual-systems.html
> 
> Now if only they'd send me free firewalls for marketing
> them.
> 
> -- 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
> 
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
> 
> 0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
> https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463

Back in my corporate days, the company that I was working for had persistent problems with a large UK ISP who insisted on providing a centralised "managed" firewall service for their multi-site internet connectivity (basically an L3VPN with a gateway for internet breakout), despite then setting the rules to allow everything as each site on the network had its own local firewall under our administrative control.

The ISP were using Cisco FWSM with each customer in their own context and the company I was working for would periodically stop receiving any responses to DNS lookups irrespective of the server queried. It eventually turned out that another customer on the same FWSM kept getting DoSed and when this happened it caused some form of resource exhaustion (I'm afraid I can't recall the exact details) which broke things in the other contexts - the most noticeable of which was the protocol inspection/fixup stuff that was looking at DNS traffic!

Of course, this may have been a configuration issue or a problem with the specific version of software that the ISP were running.

Edward Dore 
Freethought Internet 


More information about the NANOG mailing list