[c-nsp] [j-nsp] Firewalls "as-a-service" in an MPLS infrastructure...
Stefan Fouant
sfouant at shortestpathfirst.net
Fri Jul 8 06:50:56 EDT 2011
On 7/8/2011 12:28 AM, Keegan Holley wrote:
> Could be interesting. I've rarely seen firewall as a service done right
> though. It's hard to keep, cpu, memory usage, DDOS attacks,
> misconfiguration, etc. of one customers from affecting the other customers
> that share hardware. That being said there are better platforms to run the
> firewall instances on that are available now, checkpoint VSX comes to mind.
Years ago when I had to develop a Network Based Firewall solution for a
particular ISP in order to comply with the Federal Government's NetworX
bid, we chose Juniper's NS-5400 for precisely this reason. In ScreenOS
you have the concept of resource profiles with which you can limit the
amount of CPU, Sessions, Policies, MIPs and DIPs (used for NAT), and
other user defined objects such as address book entries, etc. that each
VSYS can avail.
These are essential elements of any multi-tenant firewall solution and
evaluated platforms should likewise have similar offerings to contain
resource usage for individual customers.
Stefan Fouant
JNCIE-ER #70, JNCIE-M #513, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant
More information about the cisco-nsp
mailing list