Re: Managed firewall services for hundreds of customers

[Bennett Todd <bet () rahul net>]

2000-12-21-11:05:38 Peter Hoelsken:
> [ aggregated customer traffic routed into firewall, on separate
>   /8s subnetted from under 10/8, do scalable managed firewall ]

An interesting problem spec. I haven't actually tried doing this,
but I've used just about all the pieces at one time or another, and
have friends who've used the other bits, so I think it'd mostly hang
together Ok.

First thing I'd do is set up an RDBMS for tracking the config mgmt;
the ability to conveniently extract various views of the config info
to feed into separate systems in their various formats, combined
with ease of setting up the admin editing interface, seems to me
like enough to justify the complexity of an RDBMS. You're going to
be able to want to extract specific views of the config data to
configure packet filters on the firewalls in your farm, as well as
to adjust the configurations of various proxies and other servers
--- MTAs, DNS servers, http proxies, whatever else fits into your
service offering and your customers' security needs.

I'd look to arrange this by aggregating the customer traffic into
bigger IP pipes while keeping it separated in VLANs, feed 'em into
the firewall or firewalls via 802.1q over gigabit ether.

For the firewalls I'd use OS of choice --- mine would be Linux for
this job, I'd definitely recommend an Open Source Unix-like system
with an actively-developed network stack and good packet filtering,
so Linux or one of the BSDs.

You should be able to organize the packet filtering into cleanly
separated sets by logical (802.1q) interface; ipchains would do that
with separate chains, associated with the input and output on each
logical interface; I don't know how you'd configure the same sort of
mgmt structure with ipfilter, I don't know it as well, but I'm sure
it'd be just as easy.

I'd tend to try and avoid attempting to provide "realtime"
high-availability with load-balancing style tricks; at the expense
of requiring really custom protocols atop proprietary
implementations this is possible with simple stateful packet
filtering, but it generally doesn't work in any consistent way with
proxies. Rather, I'd load-balance with the configuration mgmt
system; let it control which vlans feed into which firewall boxes.
If config rearrangement is reasonably quick it would provide you
quick recovery if a machine dies.

-Bennett

Attachment: _bin
Description: