A multi-tenant firewall for an MSSP
Hello All, We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor. People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs. Thanks, Ramy
I have seen one of our customers using Sophos and they are relatively happy about it. Not directly experienced though. Thanks Rakesh On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish <ramy.ihashish@gmail.com> wrote:
Hello All,
We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor.
People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs.
Thanks,
Ramy
sophos utm works great :) Colin
On 17 Aug 2015, at 05:56, Rakesh M <raaki.88@gmail.com> wrote:
I have seen one of our customers using Sophos and they are relatively happy about it. Not directly experienced though.
Thanks Rakesh
On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish <ramy.ihashish@gmail.com> wrote:
Hello All,
We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor.
People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs.
Thanks,
Ramy
Is there a multi-tennant capable UTM from Sophos? Or are you using a vm instance per customer? Thanks, Andrew On 17.08.2015 16:47, Colin Johnston wrote:
sophos utm works great :)
Colin
On 17 Aug 2015, at 05:56, Rakesh M <raaki.88@gmail.com> wrote:
I have seen one of our customers using Sophos and they are relatively happy about it. Not directly experienced though.
Thanks Rakesh
On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish <ramy.ihashish@gmail.com> wrote:
Hello All,
We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor.
People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs.
Thanks,
Ramy
one vm per sophos utm per customer works well even with low ram as well Colin
On 17 Aug 2015, at 08:14, Andrew Jones <aj@jonesy.com.au> wrote:
Is there a multi-tennant capable UTM from Sophos? Or are you using a vm instance per customer? Thanks, Andrew
On 17.08.2015 16:47, Colin Johnston wrote:
sophos utm works great :)
Colin
On 17 Aug 2015, at 05:56, Rakesh M <raaki.88@gmail.com> wrote:
I have seen one of our customers using Sophos and they are relatively happy about it. Not directly experienced though.
Thanks Rakesh
On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish <ramy.ihashish@gmail.com> wrote:
Hello All,
We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor.
People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs.
Thanks,
Ramy
hi
On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish <ramy.ihashish@gmail.com> wrote:
We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on
that'd be a good thing ... but ...
this, and if there are any recommendations for the UTM's vendor.
the possible vendors would depend on the answers to your idea of what is "well rounded solution" # fortinet's (possible) competitors http://ddos-Mitigator.net/Competitors
People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs.
# i doubt there is one product that provides the "well rounded solution" in my world, "well rounded solution" would imply at least the following: - anti virus solution ( one or more products to resolve the virus issue ) - anti spam solution ( one or more products to resolve the spam issue ) - iptables with tarpit ( protect against the free tcp-based script kiddies tests ) - udp limiting at isp ( part of iptables or your edge routers ) - icmp limiting at isp ( part of iptables or your edge routers ) - ingress/egress filters for your downlinks - geographically distributed colo to mitigate small/medium sized ddos attacks - regulatory compliance this and certified that vs "just anybody" ... - good response time to fix problems reported by competent customer's IT folks - other things you deem important to provide .. pixie dust alvin # # ddos-Mitigator.net # ddos-Simulator.net
On Mon, Aug 17, 2015 at 9:27 AM, alvin nanog <nanogml@mail.ddos-mitigator.net> wrote:
hi
On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish <ramy.ihashish@gmail.com> wrote:
We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on
that'd be a good thing ... but ...
this, and if there are any recommendations for the UTM's vendor.
the possible vendors would depend on the answers to your idea of what is "well rounded solution"
# fortinet's (possible) competitors http://ddos-Mitigator.net/Competitors
People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs.
# i doubt there is one product that provides the "well rounded solution"
in my world, "well rounded solution" would imply at least the following: - anti virus solution ( one or more products to resolve the virus issue ) - anti spam solution ( one or more products to resolve the spam issue ) - iptables with tarpit ( protect against the free tcp-based script kiddies tests ) - udp limiting at isp ( part of iptables or your edge routers ) - icmp limiting at isp ( part of iptables or your edge routers ) - ingress/egress filters for your downlinks - geographically distributed colo to mitigate small/medium sized ddos attacks - regulatory compliance this and certified that vs "just anybody" ... - good response time to fix problems reported by competent customer's IT folks - other things you deem important to provide ..
+ Good AQM and queue management Sophos has fq_codel. /me happy.
pixie dust alvin # # ddos-Mitigator.net # ddos-Simulator.net
-- Dave Täht worldwide bufferbloat report: http://www.dslreports.com/speedtest/results/bufferbloat And: What will it take to vastly improve wifi for everyone? https://plus.google.com/u/0/explore/makewififast
Thank you Rakesh and Colin. I just want to amend something, "FW as a service" rather than "security as a service". Are you sure sophos has such a solution? Thanks, Ramy On Mon, Aug 17, 2015 at 9:47 AM, Colin Johnston <colinj@gt86car.org.uk> wrote:
sophos utm works great :)
Colin
On 17 Aug 2015, at 05:56, Rakesh M <raaki.88@gmail.com> wrote:
I have seen one of our customers using Sophos and they are relatively happy about it. Not directly experienced though.
Thanks Rakesh
On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish <ramy.ihashish@gmail.com> wrote:
Hello All,
We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor.
People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs.
Thanks,
Ramy
Have a look below Ramy pdf https://www.sophos.com/en-us/medialibrary/PDFs/partners/sophos_complete_secu... On Mon, Aug 17, 2015 at 12:59 PM, Ramy Hashish <ramy.ihashish@gmail.com> wrote:
Thank you Rakesh and Colin.
I just want to amend something, "FW as a service" rather than "security as a service".
Are you sure sophos has such a solution?
Thanks,
Ramy
On Mon, Aug 17, 2015 at 9:47 AM, Colin Johnston <colinj@gt86car.org.uk> wrote:
sophos utm works great :)
Colin
On 17 Aug 2015, at 05:56, Rakesh M <raaki.88@gmail.com> wrote:
I have seen one of our customers using Sophos and they are relatively happy about it. Not directly experienced though.
Thanks Rakesh
On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish <ramy.ihashish@gmail.com
wrote:
Hello All,
We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor.
People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs.
Thanks,
Ramy
of course checkpoint. On Mon, Aug 17, 2015 at 4:57 AM, Rakesh M <raaki.88@gmail.com> wrote:
Have a look below Ramy pdf
https://www.sophos.com/en-us/medialibrary/PDFs/partners/sophos_complete_secu...
On Mon, Aug 17, 2015 at 12:59 PM, Ramy Hashish <ramy.ihashish@gmail.com> wrote:
Thank you Rakesh and Colin.
I just want to amend something, "FW as a service" rather than "security as a service".
Are you sure sophos has such a solution?
Thanks,
Ramy
On Mon, Aug 17, 2015 at 9:47 AM, Colin Johnston <colinj@gt86car.org.uk> wrote:
sophos utm works great :)
Colin
On 17 Aug 2015, at 05:56, Rakesh M <raaki.88@gmail.com> wrote:
I have seen one of our customers using Sophos and they are relatively happy about it. Not directly experienced though.
Thanks Rakesh
On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish <ramy.ihashish@gmail.com
wrote:
Hello All,
We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor.
People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs.
Thanks,
Ramy
On Mon, Aug 17, 2015 at 7:46 AM, Ramy Hashish <ramy.ihashish@gmail.com> wrote:
Hello All,
We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor.
Check Point VS might be a good fit. Also there is McAfee NGFW that can be used as a multi-tenant solution. Other solutions are Fortigate (what you mentioned), ASA w/ contexts (not sure about UTM support in contexts though).
People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs.
I think that you first define what the most wanted needs of your clients are and work from that.
Since no one else has mentioned it, I'll dive on that fire. Be careful when setting up a multi-tenant security solution that you are not accidentally selling "DoS as a Service" to your clients. State is evil, and state sharing with other targets is dangerous. Target sharing with other targets that are outsourcing their security can get increasingly scary especially if one of these clients is a juicy target. Make sure you have the infrastructure in place to quickly isolate your clients so that they do not fate share if they become in the focus of DoS attacks. This can mean isolated infrastructure for those you wish to keep up, or sacrificial infrastructure for those you are willing to let drop for the greater good. -Blake On Tue, Aug 18, 2015 at 10:38 AM, Eugeniu Patrascu <eugen@imacandi.net> wrote:
On Mon, Aug 17, 2015 at 7:46 AM, Ramy Hashish <ramy.ihashish@gmail.com> wrote:
Hello All,
We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor.
Check Point VS might be a good fit. Also there is McAfee NGFW that can be used as a multi-tenant solution.
Other solutions are Fortigate (what you mentioned), ASA w/ contexts (not sure about UTM support in contexts though).
People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs.
I think that you first define what the most wanted needs of your clients are and work from that.
On Tue, 18 Aug 2015, Blake Dunlap wrote:
Since no one else has mentioned it, I'll dive on that fire.
Be careful when setting up a multi-tenant security solution that you are not accidentally selling "DoS as a Service" to your clients. State is evil, and state sharing with other targets is dangerous. Target sharing with other targets that are outsourcing their security can get increasingly scary especially if one of these clients is a juicy target. Make sure you have the infrastructure in place to quickly isolate your clients so that they do not fate share if they become in the focus of DoS attacks. This can mean isolated infrastructure for those you wish to keep up, or sacrificial infrastructure for those you are willing to let drop for the greater good.
-Blake
Unsure what you meant by this. In a multi-tenant firewall implementation (as far as I envision it), all tenants would occupy different IP space so I don't get how any of the state sessions would be affected. I'd be more concerned with not enough sockets. Palo Alto has a virtual system set up built specifically for this: https://www.paloaltonetworks.com/products/features/virtual-systems.html Now if only they'd send me free firewalls for marketing them. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
On 18 Aug 2015, at 20:48, J. Oquendo <joquendo@e-fensive.net> wrote:
On Tue, 18 Aug 2015, Blake Dunlap wrote:
Since no one else has mentioned it, I'll dive on that fire.
Be careful when setting up a multi-tenant security solution that you are not accidentally selling "DoS as a Service" to your clients. State is evil, and state sharing with other targets is dangerous. Target sharing with other targets that are outsourcing their security can get increasingly scary especially if one of these clients is a juicy target. Make sure you have the infrastructure in place to quickly isolate your clients so that they do not fate share if they become in the focus of DoS attacks. This can mean isolated infrastructure for those you wish to keep up, or sacrificial infrastructure for those you are willing to let drop for the greater good.
-Blake
Unsure what you meant by this. In a multi-tenant firewall implementation (as far as I envision it), all tenants would occupy different IP space so I don't get how any of the state sessions would be affected. I'd be more concerned with not enough sockets.
Palo Alto has a virtual system set up built specifically for this:
https://www.paloaltonetworks.com/products/features/virtual-systems.html
Now if only they'd send me free firewalls for marketing them.
-- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of real peace" - Dalai Lama
0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Back in my corporate days, the company that I was working for had persistent problems with a large UK ISP who insisted on providing a centralised "managed" firewall service for their multi-site internet connectivity (basically an L3VPN with a gateway for internet breakout), despite then setting the rules to allow everything as each site on the network had its own local firewall under our administrative control. The ISP were using Cisco FWSM with each customer in their own context and the company I was working for would periodically stop receiving any responses to DNS lookups irrespective of the server queried. It eventually turned out that another customer on the same FWSM kept getting DoSed and when this happened it caused some form of resource exhaustion (I'm afraid I can't recall the exact details) which broke things in the other contexts - the most noticeable of which was the protocol inspection/fixup stuff that was looking at DNS traffic! Of course, this may have been a configuration issue or a problem with the specific version of software that the ISP were running. Edward Dore Freethought Internet
participants (11)
-
alvin nanog
-
Andrew Jones
-
Blake Dunlap
-
Christopher Morrow
-
Colin Johnston
-
Dave Taht
-
Edward Dore
-
Eugeniu Patrascu
-
J. Oquendo
-
Rakesh M
-
Ramy Hashish