On Tue, 18 Aug 2015, Blake Dunlap wrote:
Since no one else has mentioned it, I'll dive on that fire.
Be careful when setting up a multi-tenant security solution that you are not accidentally selling "DoS as a Service" to your clients. State is evil, and state sharing with other targets is dangerous. Target sharing with other targets that are outsourcing their security can get increasingly scary especially if one of these clients is a juicy target. Make sure you have the infrastructure in place to quickly isolate your clients so that they do not fate share if they become in the focus of DoS attacks. This can mean isolated infrastructure for those you wish to keep up, or sacrificial infrastructure for those you are willing to let drop for the greater good.
-Blake
Unsure what you meant by this. In a multi-tenant firewall implementation (as far as I envision it), all tenants would occupy different IP space so I don't get how any of the state sessions would be affected. I'd be more concerned with not enough sockets. Palo Alto has a virtual system set up built specifically for this: https://www.paloaltonetworks.com/products/features/virtual-systems.html Now if only they'd send me free firewalls for marketing them. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463