[c-nsp] [j-nsp] Firewalls "as-a-service" in an MPLS infrastructure...

Ziv Leyes zivl at gilat.net
Fri Jul 8 11:23:23 EDT 2011


Radware's DefensePro comes in mind when talking about hardware performance during DDOS, you could put the device in the middle of the network, and use some redirector such as CID or Alteon to separate customers that pay for the service and customers that don't and pass only the traffic of the ones you want through the device.
We did a pilot with this setup and it worked great, I didn't see any DDoS that could possibly tickle the device's resources...

Ziv

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stefan Fouant
Sent: Friday, July 08, 2011 1:51 PM
To: Keegan Holley
Cc: juniper-nsp at puck.nether.net; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] [j-nsp] Firewalls "as-a-service" in an MPLS infrastructure...

On 7/8/2011 12:28 AM, Keegan Holley wrote:
> Could be interesting.  I've rarely seen firewall as a service done right
> though.  It's hard to keep, cpu, memory usage, DDOS attacks,
> misconfiguration, etc. of one customers from affecting the other customers
> that share hardware.  That being said there are better platforms to run the
> firewall instances on that are available now, checkpoint VSX comes to mind.

Years ago when I had to develop a Network Based Firewall solution for a 
particular ISP in order to comply with the Federal Government's NetworX 
bid, we chose Juniper's NS-5400 for precisely this reason.  In ScreenOS 
you have the concept of resource profiles with which you can limit the 
amount of CPU, Sessions, Policies, MIPs and DIPs (used for NAT), and 
other user defined objects such as address book entries, etc. that each 
VSYS can avail.

These are essential elements of any multi-tenant firewall solution and 
evaluated platforms should likewise have similar offerings to contain 
resource usage for individual customers.

Stefan Fouant
JNCIE-ER #70, JNCIE-M #513, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




The information contained in this e-mail message and its attachments is confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender, and then delete the message from your computer.  Thank you!

******** This mail was sent via Mail-SeCure System.********



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






More information about the cisco-nsp mailing list