Firewall Wizards mailing list archives
Re: Managed firewall services for hundreds of customers
From: Bennett Todd <bet () rahul net>
Date: Mon, 25 Dec 2000 23:22:33 -0500
2000-12-21-11:05:38 Peter Hoelsken:
[ aggregated customer traffic routed into firewall, on separate /8s subnetted from under 10/8, do scalable managed firewall ]
An interesting problem spec. I haven't actually tried doing this, but I've used just about all the pieces at one time or another, and have friends who've used the other bits, so I think it'd mostly hang together Ok. First thing I'd do is set up an RDBMS for tracking the config mgmt; the ability to conveniently extract various views of the config info to feed into separate systems in their various formats, combined with ease of setting up the admin editing interface, seems to me like enough to justify the complexity of an RDBMS. You're going to be able to want to extract specific views of the config data to configure packet filters on the firewalls in your farm, as well as to adjust the configurations of various proxies and other servers --- MTAs, DNS servers, http proxies, whatever else fits into your service offering and your customers' security needs. I'd look to arrange this by aggregating the customer traffic into bigger IP pipes while keeping it separated in VLANs, feed 'em into the firewall or firewalls via 802.1q over gigabit ether. For the firewalls I'd use OS of choice --- mine would be Linux for this job, I'd definitely recommend an Open Source Unix-like system with an actively-developed network stack and good packet filtering, so Linux or one of the BSDs. You should be able to organize the packet filtering into cleanly separated sets by logical (802.1q) interface; ipchains would do that with separate chains, associated with the input and output on each logical interface; I don't know how you'd configure the same sort of mgmt structure with ipfilter, I don't know it as well, but I'm sure it'd be just as easy. I'd tend to try and avoid attempting to provide "realtime" high-availability with load-balancing style tricks; at the expense of requiring really custom protocols atop proprietary implementations this is possible with simple stateful packet filtering, but it generally doesn't work in any consistent way with proxies. Rather, I'd load-balance with the configuration mgmt system; let it control which vlans feed into which firewall boxes. If config rearrangement is reasonably quick it would provide you quick recovery if a machine dies. -Bennett
Attachment:
_bin
Description:
Current thread:
- Managed firewall services for hundreds of customers Peter Hoelsken (Dec 24)
- Re: Managed firewall services for hundreds of customers Bennett Todd (Dec 27)
- Re: Managed firewall services for hundreds of customers Shane Amante (Dec 27)