A multi-tenant firewall for an MSSP

[joquendo at e-fensive.net (J. Oquendo)]

On Tue, 18 Aug 2015, Blake Dunlap wrote:

> Since no one else has mentioned it, I'll dive on that fire.
> 
> Be careful when setting up a multi-tenant security solution that you
> are not accidentally selling "DoS as a Service" to your clients. State
> is evil, and state sharing with other targets is dangerous. Target
> sharing with other targets that are outsourcing their security can get
> increasingly scary especially if one of these clients is a juicy
> target. Make sure you have the infrastructure in place to quickly
> isolate your clients so that they do not fate share if they become in
> the focus of DoS attacks. This can mean isolated infrastructure for
> those you wish to keep up, or sacrificial infrastructure for those you
> are willing to let drop for the greater good.
> 
> -Blake
> 

Unsure what you meant by this. In a multi-tenant firewall
implementation (as far as I envision it), all tenants would
occupy different IP space so I don't get how any of the
state sessions would be affected. I'd be more concerned
with not enough sockets. 

Palo Alto has a virtual system set up built specifically
for this:

https://www.paloaltonetworks.com/products/features/virtual-systems.html

Now if only they'd send me free firewalls for marketing
them.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463