Re: A multi-tenant firewall for an MSSP
On 18 Aug 2015, at 20:48, J. Oquendo wrote: > On Tue, 18 Aug 2015, Blake Dunlap wrote: > >> Since no one else has mentioned it, I'll dive on that fire. >> >> Be careful when setting up a multi-tenant security solution that you >> are not accidentally selling "DoS as a Service" to your clients. State >> is evil, and state sharing with other targets is dangerous. Target >> sharing with other targets that are outsourcing their security can get >> increasingly scary especially if one of these clients is a juicy >> target. Make sure you have the infrastructure in place to quickly >> isolate your clients so that they do not fate share if they become in >> the focus of DoS attacks. This can mean isolated infrastructure for >> those you wish to keep up, or sacrificial infrastructure for those you >> are willing to let drop for the greater good. >> >> -Blake >> > > Unsure what you meant by this. In a multi-tenant firewall > implementation (as far as I envision it), all tenants would > occupy different IP space so I don't get how any of the > state sessions would be affected. I'd be more concerned > with not enough sockets. > > Palo Alto has a virtual system set up built specifically > for this: > > https://www.paloaltonetworks.com/products/features/virtual-systems.html > > Now if only they'd send me free firewalls for marketing > them. > > -- > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM > > "Where ignorance is our master, there is no possibility of > real peace" - Dalai Lama > > 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 > https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463 Back in my corporate days, the company that I was working for had persistent problems with a large UK ISP who insisted on providing a centralised "managed" firewall service for their multi-site internet connectivity (basically an L3VPN with a gateway for internet breakout), despite then setting the rules to allow everything as each site on the network had its own local firewall under our administrative control. The ISP were using Cisco FWSM with each customer in their own context and the company I was working for would periodically stop receiving any responses to DNS lookups irrespective of the server queried. It eventually turned out that another customer on the same FWSM kept getting DoSed and when this happened it caused some form of resource exhaustion (I'm afraid I can't recall the exact details) which broke things in the other contexts - the most noticeable of which was the protocol inspection/fixup stuff that was looking at DNS traffic! Of course, this may have been a configuration issue or a problem with the specific version of software that the ISP were running. Edward Dore Freethought Internet
Re: A multi-tenant firewall for an MSSP
On Tue, 18 Aug 2015, Blake Dunlap wrote: > Since no one else has mentioned it, I'll dive on that fire. > > Be careful when setting up a multi-tenant security solution that you > are not accidentally selling "DoS as a Service" to your clients. State > is evil, and state sharing with other targets is dangerous. Target > sharing with other targets that are outsourcing their security can get > increasingly scary especially if one of these clients is a juicy > target. Make sure you have the infrastructure in place to quickly > isolate your clients so that they do not fate share if they become in > the focus of DoS attacks. This can mean isolated infrastructure for > those you wish to keep up, or sacrificial infrastructure for those you > are willing to let drop for the greater good. > > -Blake > Unsure what you meant by this. In a multi-tenant firewall implementation (as far as I envision it), all tenants would occupy different IP space so I don't get how any of the state sessions would be affected. I'd be more concerned with not enough sockets. Palo Alto has a virtual system set up built specifically for this: https://www.paloaltonetworks.com/products/features/virtual-systems.html Now if only they'd send me free firewalls for marketing them. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
Re: A multi-tenant firewall for an MSSP
Since no one else has mentioned it, I'll dive on that fire. Be careful when setting up a multi-tenant security solution that you are not accidentally selling "DoS as a Service" to your clients. State is evil, and state sharing with other targets is dangerous. Target sharing with other targets that are outsourcing their security can get increasingly scary especially if one of these clients is a juicy target. Make sure you have the infrastructure in place to quickly isolate your clients so that they do not fate share if they become in the focus of DoS attacks. This can mean isolated infrastructure for those you wish to keep up, or sacrificial infrastructure for those you are willing to let drop for the greater good. -Blake On Tue, Aug 18, 2015 at 10:38 AM, Eugeniu Patrascu wrote: > On Mon, Aug 17, 2015 at 7:46 AM, Ramy Hashish > wrote: > >> Hello All, >> >> We are planning to implement a multi-tenant FW/UTM and start providing >> security as a service, I would like to hear if anybody had experience on >> this, and if there are any recommendations for the UTM's vendor. >> > > Check Point VS might be a good fit. Also there is McAfee NGFW that can be > used as a multi-tenant solution. > > Other solutions are Fortigate (what you mentioned), ASA w/ contexts (not > sure about UTM support in contexts though). > > >> People/customers here are more familiar with the Fortigate, however, we >> need to build a well-rounded solution that suits wide range of enterprises' >> business needs. >> > > I think that you first define what the most wanted needs of your clients > are and work from that.
Re: A multi-tenant firewall for an MSSP
On Mon, Aug 17, 2015 at 7:46 AM, Ramy Hashish wrote: > Hello All, > > We are planning to implement a multi-tenant FW/UTM and start providing > security as a service, I would like to hear if anybody had experience on > this, and if there are any recommendations for the UTM's vendor. > Check Point VS might be a good fit. Also there is McAfee NGFW that can be used as a multi-tenant solution. Other solutions are Fortigate (what you mentioned), ASA w/ contexts (not sure about UTM support in contexts though). > People/customers here are more familiar with the Fortigate, however, we > need to build a well-rounded solution that suits wide range of enterprises' > business needs. > I think that you first define what the most wanted needs of your clients are and work from that.
Re: A multi-tenant firewall for an MSSP
On Mon, Aug 17, 2015 at 9:27 AM, alvin nanog wrote: > > hi > >> On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish >> wrote: >> >> We are planning to implement a multi-tenant FW/UTM and start providing >> security as a service, I would like to hear if anybody had experience on > > that'd be a good thing ... but ... > >> this, and if there are any recommendations for the UTM's vendor. > > the possible vendors would depend on the answers to your idea of > what is "well rounded solution" > > # fortinet's (possible) competitors > http://ddos-Mitigator.net/Competitors > >> People/customers here are more familiar with the Fortigate, however, we >> need to build a well-rounded solution that suits wide range of enterprises' >> business needs. > > # i doubt there is one product that provides the "well rounded solution" > > in my world, "well rounded solution" would imply at least the following: > - anti virus solution ( one or more products to resolve the virus issue ) > - anti spam solution ( one or more products to resolve the spam issue ) > - iptables with tarpit ( protect against the free tcp-based script kiddies > tests ) > - udp limiting at isp ( part of iptables or your edge routers ) > - icmp limiting at isp ( part of iptables or your edge routers ) > - ingress/egress filters for your downlinks > - geographically distributed colo to mitigate small/medium sized ddos attacks > - regulatory compliance this and certified that vs "just anybody" ... > - good response time to fix problems reported by competent customer's IT folks > - other things you deem important to provide .. + Good AQM and queue management Sophos has fq_codel. /me happy. > pixie dust > alvin > # > # ddos-Mitigator.net > # ddos-Simulator.net > -- Dave Täht worldwide bufferbloat report: http://www.dslreports.com/speedtest/results/bufferbloat And: What will it take to vastly improve wifi for everyone? https://plus.google.com/u/0/explore/makewififast
Re: A multi-tenant firewall for an MSSP
of course checkpoint. On Mon, Aug 17, 2015 at 4:57 AM, Rakesh M wrote: > Have a look below Ramy pdf > > https://www.sophos.com/en-us/medialibrary/PDFs/partners/sophos_complete_security_msps_dsna.pdf?la=en > > > > On Mon, Aug 17, 2015 at 12:59 PM, Ramy Hashish > wrote: > >> Thank you Rakesh and Colin. >> >> I just want to amend something, "FW as a service" rather than "security as >> a service". >> >> Are you sure sophos has such a solution? >> >> Thanks, >> >> Ramy >> >> On Mon, Aug 17, 2015 at 9:47 AM, Colin Johnston >> wrote: >> >>> sophos utm works great :) >>> >>> Colin >>> >>> > On 17 Aug 2015, at 05:56, Rakesh M wrote: >>> > >>> > I have seen one of our customers using Sophos and they are relatively >>> happy >>> > about it. Not directly experienced though. >>> > >>> > Thanks >>> > Rakesh >>> > >>> > On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish >> > >>> > wrote: >>> > >>> >> Hello All, >>> >> >>> >> We are planning to implement a multi-tenant FW/UTM and start providing >>> >> security as a service, I would like to hear if anybody had experience >>> on >>> >> this, and if there are any recommendations for the UTM's vendor. >>> >> >>> >> People/customers here are more familiar with the Fortigate, however, we >>> >> need to build a well-rounded solution that suits wide range of >>> enterprises' >>> >> business needs. >>> >> >>> >> Thanks, >>> >> >>> >> Ramy >>> >> >>> >>> >>
Re: A multi-tenant firewall for an MSSP
Have a look below Ramy pdf https://www.sophos.com/en-us/medialibrary/PDFs/partners/sophos_complete_security_msps_dsna.pdf?la=en On Mon, Aug 17, 2015 at 12:59 PM, Ramy Hashish wrote: > Thank you Rakesh and Colin. > > I just want to amend something, "FW as a service" rather than "security as > a service". > > Are you sure sophos has such a solution? > > Thanks, > > Ramy > > On Mon, Aug 17, 2015 at 9:47 AM, Colin Johnston > wrote: > >> sophos utm works great :) >> >> Colin >> >> > On 17 Aug 2015, at 05:56, Rakesh M wrote: >> > >> > I have seen one of our customers using Sophos and they are relatively >> happy >> > about it. Not directly experienced though. >> > >> > Thanks >> > Rakesh >> > >> > On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish > > >> > wrote: >> > >> >> Hello All, >> >> >> >> We are planning to implement a multi-tenant FW/UTM and start providing >> >> security as a service, I would like to hear if anybody had experience >> on >> >> this, and if there are any recommendations for the UTM's vendor. >> >> >> >> People/customers here are more familiar with the Fortigate, however, we >> >> need to build a well-rounded solution that suits wide range of >> enterprises' >> >> business needs. >> >> >> >> Thanks, >> >> >> >> Ramy >> >> >> >> >
Re: A multi-tenant firewall for an MSSP
one vm per sophos utm per customer works well even with low ram as well Colin > On 17 Aug 2015, at 08:14, Andrew Jones wrote: > > Is there a multi-tennant capable UTM from Sophos? Or are you using a vm > instance per customer? > Thanks, > Andrew > > On 17.08.2015 16:47, Colin Johnston wrote: >> sophos utm works great :) >> >> Colin >> >>> On 17 Aug 2015, at 05:56, Rakesh M wrote: >>> >>> I have seen one of our customers using Sophos and they are relatively happy >>> about it. Not directly experienced though. >>> >>> Thanks >>> Rakesh >>> >>> On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish >>> wrote: >>> Hello All, We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor. People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs. Thanks, Ramy >
Re: A multi-tenant firewall for an MSSP
Thank you Rakesh and Colin. I just want to amend something, "FW as a service" rather than "security as a service". Are you sure sophos has such a solution? Thanks, Ramy On Mon, Aug 17, 2015 at 9:47 AM, Colin Johnston wrote: > sophos utm works great :) > > Colin > > > On 17 Aug 2015, at 05:56, Rakesh M wrote: > > > > I have seen one of our customers using Sophos and they are relatively > happy > > about it. Not directly experienced though. > > > > Thanks > > Rakesh > > > > On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish > > wrote: > > > >> Hello All, > >> > >> We are planning to implement a multi-tenant FW/UTM and start providing > >> security as a service, I would like to hear if anybody had experience on > >> this, and if there are any recommendations for the UTM's vendor. > >> > >> People/customers here are more familiar with the Fortigate, however, we > >> need to build a well-rounded solution that suits wide range of > enterprises' > >> business needs. > >> > >> Thanks, > >> > >> Ramy > >> > >
Re: A multi-tenant firewall for an MSSP
hi > On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish > wrote: > > We are planning to implement a multi-tenant FW/UTM and start providing > security as a service, I would like to hear if anybody had experience on that'd be a good thing ... but ... > this, and if there are any recommendations for the UTM's vendor. the possible vendors would depend on the answers to your idea of what is "well rounded solution" # fortinet's (possible) competitors http://ddos-Mitigator.net/Competitors > People/customers here are more familiar with the Fortigate, however, we > need to build a well-rounded solution that suits wide range of enterprises' > business needs. # i doubt there is one product that provides the "well rounded solution" in my world, "well rounded solution" would imply at least the following: - anti virus solution ( one or more products to resolve the virus issue ) - anti spam solution ( one or more products to resolve the spam issue ) - iptables with tarpit ( protect against the free tcp-based script kiddies tests ) - udp limiting at isp ( part of iptables or your edge routers ) - icmp limiting at isp ( part of iptables or your edge routers ) - ingress/egress filters for your downlinks - geographically distributed colo to mitigate small/medium sized ddos attacks - regulatory compliance this and certified that vs "just anybody" ... - good response time to fix problems reported by competent customer's IT folks - other things you deem important to provide .. pixie dust alvin # # ddos-Mitigator.net # ddos-Simulator.net
Re: A multi-tenant firewall for an MSSP
Is there a multi-tennant capable UTM from Sophos? Or are you using a vm instance per customer? Thanks, Andrew On 17.08.2015 16:47, Colin Johnston wrote: sophos utm works great :) Colin On 17 Aug 2015, at 05:56, Rakesh M wrote: I have seen one of our customers using Sophos and they are relatively happy about it. Not directly experienced though. Thanks Rakesh On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish wrote: Hello All, We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor. People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs. Thanks, Ramy
Re: A multi-tenant firewall for an MSSP
sophos utm works great :) Colin > On 17 Aug 2015, at 05:56, Rakesh M wrote: > > I have seen one of our customers using Sophos and they are relatively happy > about it. Not directly experienced though. > > Thanks > Rakesh > > On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish > wrote: > >> Hello All, >> >> We are planning to implement a multi-tenant FW/UTM and start providing >> security as a service, I would like to hear if anybody had experience on >> this, and if there are any recommendations for the UTM's vendor. >> >> People/customers here are more familiar with the Fortigate, however, we >> need to build a well-rounded solution that suits wide range of enterprises' >> business needs. >> >> Thanks, >> >> Ramy >>
Re: A multi-tenant firewall for an MSSP
I have seen one of our customers using Sophos and they are relatively happy about it. Not directly experienced though. Thanks Rakesh On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish wrote: > Hello All, > > We are planning to implement a multi-tenant FW/UTM and start providing > security as a service, I would like to hear if anybody had experience on > this, and if there are any recommendations for the UTM's vendor. > > People/customers here are more familiar with the Fortigate, however, we > need to build a well-rounded solution that suits wide range of enterprises' > business needs. > > Thanks, > > Ramy >
A multi-tenant firewall for an MSSP
Hello All, We are planning to implement a multi-tenant FW/UTM and start providing security as a service, I would like to hear if anybody had experience on this, and if there are any recommendations for the UTM's vendor. People/customers here are more familiar with the Fortigate, however, we need to build a well-rounded solution that suits wide range of enterprises' business needs. Thanks, Ramy