I have a bit of experience with managed firewall services. We tried to provide it for several years. To be honest, can't claim a tremendous success :)
Although I disagree about netscreen cli (at least in comparison with pix/asa), I can add that any sort of cli/webui of a network/security device itself is insufficient for providing it to enterprise customers. Even the most popular IOS cli provided to customers will require lots of helpdesk support. If we add the price of a license for context/vsys, I would think again whether this approach has business perspectives since (just my guess for the Russian market) most customers, who are skilled enough to administrate any sort of firewall appliance, prefer to have their own boxes. Moreover (maybe it is also a sort of local mental attitude) customers often think that enterprise network security is something you'd rather keep as closer to you as possible. So the most common customer for a managed firewall service is a small company with little experience in IT. A good exception is data centers where such a service goes better. But it is quite a different story. What about providing managed firewall service to the enterprise customers, I'd propose to use some external management solution with a primitive web interface for the end customers. This sort of service provisioning system will cost some additional money but in general such a model doesn't require multiple contexts. However it needs a firewall which is ready for automated management (e. g. has an XML interface) and also supports enough of routing instances (separate routing domains in a single context) for private IP spaces overlapping. I know a vendor, which produces firewalls capable to do all this, but it is not cisco :) -- Kind regards, Pavel 2009/9/30 Dave Weis <djw...@internetsolver.com> > > On Wed, 30 Sep 2009, David Hughes wrote: > >> On 30/09/2009, at 7:08 AM, Dave Weis wrote: >> >>> On Tue, 29 Sep 2009, Christopher Hunt wrote: >>> >>>> As I painfully discovered, the Cisco ASA in Multiple Context mode does >>>> not support IPSEC VPN clients nor L2TP3 tunnels >>>> >>> >>> That's a pretty big omission! Any ETA to add that capability? >>> >> Yeah, they've never supported VPN in multi-context mode. Major pain. And >> if you are a dense hosting provider the 50 context limit (and limited >> performance) of a 5540 for example doesn't work too well. These issues made >> us look around again and J-Vendor's boxes are making the ASA's look a bit >> ordinary. >> > > I never enjoyed working on the netscreens. I suppose if each virtual > firewall customer could get the same awkward web interface for self > provisioning it could be made to work. > > -- > Dave Weis > djw...@internetsolver.com > http://www.internetsolver.com/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/