[j-nsp] [c-nsp] Firewalls "as-a-service" in an MPLS infrastructure...

Stefan Fouant sfouant at shortestpathfirst.net
Fri Jul 8 06:50:56 EDT 2011


On 7/8/2011 12:28 AM, Keegan Holley wrote:
> Could be interesting.  I've rarely seen firewall as a service done right
> though.  It's hard to keep, cpu, memory usage, DDOS attacks,
> misconfiguration, etc. of one customers from affecting the other customers
> that share hardware.  That being said there are better platforms to run the
> firewall instances on that are available now, checkpoint VSX comes to mind.

Years ago when I had to develop a Network Based Firewall solution for a 
particular ISP in order to comply with the Federal Government's NetworX 
bid, we chose Juniper's NS-5400 for precisely this reason.  In ScreenOS 
you have the concept of resource profiles with which you can limit the 
amount of CPU, Sessions, Policies, MIPs and DIPs (used for NAT), and 
other user defined objects such as address book entries, etc. that each 
VSYS can avail.

These are essential elements of any multi-tenant firewall solution and 
evaluated platforms should likewise have similar offerings to contain 
resource usage for individual customers.

Stefan Fouant
JNCIE-ER #70, JNCIE-M #513, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant


More information about the juniper-nsp mailing list