nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A multi-tenant firewall for an MSSP

From: "J. Oquendo" <joquendo () e-fensive net>
Date: Tue, 18 Aug 2015 14:48:36 -0500
On Tue, 18 Aug 2015, Blake Dunlap wrote:


Since no one else has mentioned it, I'll dive on that fire.

Be careful when setting up a multi-tenant security solution that you
are not accidentally selling "DoS as a Service" to your clients. State
is evil, and state sharing with other targets is dangerous. Target
sharing with other targets that are outsourcing their security can get
increasingly scary especially if one of these clients is a juicy
target. Make sure you have the infrastructure in place to quickly
isolate your clients so that they do not fate share if they become in
the focus of DoS attacks. This can mean isolated infrastructure for
those you wish to keep up, or sacrificial infrastructure for those you
are willing to let drop for the greater good.

-Blake



Unsure what you meant by this. In a multi-tenant firewall
implementation (as far as I envision it), all tenants would
occupy different IP space so I don't get how any of the
state sessions would be affected. I'd be more concerned
with not enough sockets. 

Palo Alto has a virtual system set up built specifically
for this:

https://www.paloaltonetworks.com/products/features/virtual-systems.html

Now if only they'd send me free firewalls for marketing
them.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Previous By Date Next
Previous By Thread Next

Current thread: