[c-nsp] Hardware for 'managed firewall'

Pavel Lunin plunin at senetsy.ru
Tue Oct 13 17:26:15 EDT 2009


I have a bit of experience with managed firewall services. We tried to
provide it for several years. To be honest, can't claim a tremendous success
:)

Although I disagree about netscreen cli (at least in comparison with
pix/asa), I can add that any sort of cli/webui of a network/security device
itself is insufficient for providing it to enterprise customers.

Even the most popular IOS cli provided to customers will require lots of
helpdesk support. If we add the price of a license for context/vsys, I would
think again whether this approach has business perspectives since (just my
guess for the Russian market) most customers, who are skilled enough to
administrate any sort of firewall appliance, prefer to have their own boxes.
Moreover (maybe it is also a sort of local mental attitude) customers often
think that enterprise network security is something you'd rather keep as
closer to you as possible. So the most common customer for a managed
firewall service is a small company with little experience in IT.

A good exception is data centers where such a service goes better. But it is
quite a different story.

What about providing managed firewall service to the enterprise customers,
I'd propose to use some external management solution with a primitive web
interface for the end customers.

This sort of service provisioning system will cost some additional money but
in general such a model doesn't require multiple contexts. However it needs
a firewall which is ready for automated management (e. g. has an XML
interface) and also supports enough of routing instances (separate routing
domains in a single context) for private IP spaces overlapping.

I know a vendor, which produces firewalls capable to do all this, but it is
not cisco :)

--
Kind regards,
Pavel

2009/9/30 Dave Weis <djweis at internetsolver.com>

>
> On Wed, 30 Sep 2009, David Hughes wrote:
>
>> On 30/09/2009, at 7:08 AM, Dave Weis wrote:
>>
>>> On Tue, 29 Sep 2009, Christopher Hunt wrote:
>>>
>>>> As I painfully discovered, the Cisco ASA in Multiple Context mode does
>>>> not support IPSEC VPN clients nor L2TP3 tunnels
>>>>
>>>
>>> That's a pretty big omission! Any ETA to add that capability?
>>>
>> Yeah, they've never supported VPN in multi-context mode.  Major pain.  And
>> if you are a dense hosting provider the 50 context limit (and limited
>> performance) of a 5540 for example doesn't work too well.  These issues made
>> us look around again and J-Vendor's boxes are making the ASA's look a bit
>> ordinary.
>>
>
> I never enjoyed working on the netscreens. I suppose if each virtual
> firewall customer could get the same awkward web interface for self
> provisioning it could be made to work.
>
> --
> Dave Weis
> djweis at internetsolver.com
> http://www.internetsolver.com/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list