Firewall Wizards mailing list archives

Re: Managed firewall services for hundreds of customers

From: Shane Amante <shane () amante org>
Date: Mon, 25 Dec 2000 18:36:42 -0700

In no particular order, you may want to consider the following vendors:

- Cisco (Compatible Sytems) VPN Concentrator 5000
- Nortel Shasta BSN-5000
- Lucent Springtide IPSS 5000
- CoSine IPSX 9000

There are other vendors working on adding "high-touch" services to
their existing platforms as well.

I can assure you that the cost for the above is definitely > $0
... ;-)  The theory is legacy edge boxes don't have the horsepower
(e.g.: ASICs/FPGAs), nor software, to "reliably" enable value-add
services.  If ISPs replace their existing legacy platforms with new
"high-touch" hardware, they not only can service their existing
"vanilla IP transit" customers, but also offer value-add services to
new/existing customers.  YMMV.

-shane


On Thu, Dec 21, 2000 at 05:05:38PM +0100, Peter Hoelsken wrote:

I'm searching for a firewall that would be capable to offer hundreds of
customers (small businesses) a managed firewall service (they call the
service center and ask for things like "Could you please forward any mail
traffic towards our internal mail server and btw please lock out all those
Napster users").

The customers will be fed into the firewall's internal interface with
private IP addresses like:

customer   IP range
1          10.0.1.0/24
2          10.0.2.0/24
3          10.0.3.0/24
.          .
.          .
.          .

The router that feeds the firewall doesn't do any forwarding between the
different subnets.

Since this should be scaled to approx. 1000 customers, change requests for
the ruleset will most likely be coming in every day. Therefore it would be
good, if one could use seperate rulesets fo each customer in order to keep
potential rule errors local. Also, changing the rules while operational has
to go seamless. Speed is not that important, since we could scale that with
load balancers. However the size of the state table might be an issue. All
this should come for $0 ;).

I know that some company offers a gibabit hardware firewall that can handle
about 100 virtual firewalls in one box, however the price tag is a bit tough
($300.000). Another solution I looked into was the freeware ipfilter, at
least it is capable of forming rule blocks (one block for each customer).

Do you have any considerations?

Best regards,

Peter Hoelsken


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Managed firewall services for hundreds of customers Peter Hoelsken (Dec 24)
- Re: Managed firewall services for hundreds of customers Bennett Todd (Dec 27)
- Re: Managed firewall services for hundreds of customers Shane Amante (Dec 27)