[c-nsp] [j-nsp] Firewalls "as-a-service" in an MPLS infrastructure...
Keegan Holley
keegan.holley at sungard.com
Fri Jul 8 09:15:16 EDT 2011
I never said it's not possible, just that I've rarely seen it done
correctly. Not everyone has your level of skill. Just for arguments sake
how did you handle shared bandwidth? In other words how did you keep a DDOS
attack on one customers's segment from using up all available bandwidth in
some shared segment upstream from the firewall.
2011/7/8 Stefan Fouant <sfouant at shortestpathfirst.net>
> On 7/8/2011 12:28 AM, Keegan Holley wrote:
>
>> Could be interesting. I've rarely seen firewall as a service done right
>> though. It's hard to keep, cpu, memory usage, DDOS attacks,
>> misconfiguration, etc. of one customers from affecting the other customers
>> that share hardware. That being said there are better platforms to run
>> the
>> firewall instances on that are available now, checkpoint VSX comes to
>> mind.
>>
>
> Years ago when I had to develop a Network Based Firewall solution for a
> particular ISP in order to comply with the Federal Government's NetworX bid,
> we chose Juniper's NS-5400 for precisely this reason. In ScreenOS you have
> the concept of resource profiles with which you can limit the amount of CPU,
> Sessions, Policies, MIPs and DIPs (used for NAT), and other user defined
> objects such as address book entries, etc. that each VSYS can avail.
>
> These are essential elements of any multi-tenant firewall solution and
> evaluated platforms should likewise have similar offerings to contain
> resource usage for individual customers.
>
> Stefan Fouant
> JNCIE-ER #70, JNCIE-M #513, JNCI
> Technical Trainer, Juniper Networks
> http://www.shortestpathfirst.**net <http://www.shortestpathfirst.net>
> http://www.twitter.com/sfouant
>
>
More information about the cisco-nsp
mailing list