Hello All,
We are planning to implement a multi-tenant FW/UTM and start providing
security as a service, I would like to hear if anybody had experience on
this, and if there are any recommendations for the UTM's vendor.
People/customers here are more familiar with the Fortigate, however, we
need to build a well-rounded solution that suits wide range of enterprises'
business needs.
Thanks,
Ramy
I have seen one of our customers using Sophos and they are relatively happy
about it. Not directly experienced though.
Thanks
Rakesh
sophos utm works great 
Colin
Is there a multi-tennant capable UTM from Sophos? Or are you using a vm instance per customer?
Thanks,
Andrew
hi
We are planning to implement a multi-tenant FW/UTM and start providing
security as a service, I would like to hear if anybody had experience on
that'd be a good thing ... but ...
this, and if there are any recommendations for the UTM's vendor.
the possible vendors would depend on the answers to your idea of
what is "well rounded solution"
# fortinet's (possible) competitors
http://ddos-Mitigator.net/Competitors
People/customers here are more familiar with the Fortigate, however, we
need to build a well-rounded solution that suits wide range of enterprises'
business needs.
# i doubt there is one product that provides the "well rounded solution"
in my world, "well rounded solution" would imply at least the following:
- anti virus solution ( one or more products to resolve the virus issue )
- anti spam solution ( one or more products to resolve the spam issue )
- iptables with tarpit ( protect against the free tcp-based script kiddies tests )
- udp limiting at isp ( part of iptables or your edge routers )
- icmp limiting at isp ( part of iptables or your edge routers )
- ingress/egress filters for your downlinks
- geographically distributed colo to mitigate small/medium sized ddos attacks
- regulatory compliance this and certified that vs "just anybody" ...
- good response time to fix problems reported by competent customer's IT folks
- other things you deem important to provide ..
pixie dust
alvin
Thank you Rakesh and Colin.
I just want to amend something, "FW as a service" rather than "security as
a service".
Are you sure sophos has such a solution?
Thanks,
Ramy
one vm per sophos utm per customer
works well even with low ram as well
Colin
Have a look below Ramy pdf
https://www.sophos.com/en-us/medialibrary/PDFs/partners/sophos_complete_security_msps_dsna.pdf?la=en
of course checkpoint.
hi
We are planning to implement a multi-tenant FW/UTM and start providing
security as a service, I would like to hear if anybody had experience onthat'd be a good thing ... but ...
this, and if there are any recommendations for the UTM's vendor.
the possible vendors would depend on the answers to your idea of
what is "well rounded solution"# fortinet's (possible) competitors
http://ddos-Mitigator.net/CompetitorsPeople/customers here are more familiar with the Fortigate, however, we
need to build a well-rounded solution that suits wide range of enterprises'
business needs.# i doubt there is one product that provides the "well rounded solution"
in my world, "well rounded solution" would imply at least the following:
- anti virus solution ( one or more products to resolve the virus issue )
- anti spam solution ( one or more products to resolve the spam issue )
- iptables with tarpit ( protect against the free tcp-based script kiddies tests )
- udp limiting at isp ( part of iptables or your edge routers )
- icmp limiting at isp ( part of iptables or your edge routers )
- ingress/egress filters for your downlinks
- geographically distributed colo to mitigate small/medium sized ddos attacks
- regulatory compliance this and certified that vs "just anybody" ...
- good response time to fix problems reported by competent customer's IT folks
- other things you deem important to provide ..
+ Good AQM and queue management
Sophos has fq_codel. /me happy.
Hello All,
We are planning to implement a multi-tenant FW/UTM and start providing
security as a service, I would like to hear if anybody had experience on
this, and if there are any recommendations for the UTM's vendor.
Check Point VS might be a good fit. Also there is McAfee NGFW that can be
used as a multi-tenant solution.
Other solutions are Fortigate (what you mentioned), ASA w/ contexts (not
sure about UTM support in contexts though).
People/customers here are more familiar with the Fortigate, however, we
need to build a well-rounded solution that suits wide range of enterprises'
business needs.
I think that you first define what the most wanted needs of your clients
are and work from that.
Since no one else has mentioned it, I'll dive on that fire.
Be careful when setting up a multi-tenant security solution that you
are not accidentally selling "DoS as a Service" to your clients. State
is evil, and state sharing with other targets is dangerous. Target
sharing with other targets that are outsourcing their security can get
increasingly scary especially if one of these clients is a juicy
target. Make sure you have the infrastructure in place to quickly
isolate your clients so that they do not fate share if they become in
the focus of DoS attacks. This can mean isolated infrastructure for
those you wish to keep up, or sacrificial infrastructure for those you
are willing to let drop for the greater good.
-Blake
Unsure what you meant by this. In a multi-tenant firewall
implementation (as far as I envision it), all tenants would
occupy different IP space so I don't get how any of the
state sessions would be affected. I'd be more concerned
with not enough sockets.
Palo Alto has a virtual system set up built specifically
for this:
https://www.paloaltonetworks.com/products/features/virtual-systems.html
Now if only they'd send me free firewalls for marketing
them.
Back in my corporate days, the company that I was working for had persistent problems with a large UK ISP who insisted on providing a centralised "managed" firewall service for their multi-site internet connectivity (basically an L3VPN with a gateway for internet breakout), despite then setting the rules to allow everything as each site on the network had its own local firewall under our administrative control.
The ISP were using Cisco FWSM with each customer in their own context and the company I was working for would periodically stop receiving any responses to DNS lookups irrespective of the server queried. It eventually turned out that another customer on the same FWSM kept getting DoSed and when this happened it caused some form of resource exhaustion (I'm afraid I can't recall the exact details) which broke things in the other contexts - the most noticeable of which was the protocol inspection/fixup stuff that was looking at DNS traffic!
Of course, this may have been a configuration issue or a problem with the specific version of software that the ISP were running.
Edward Dore
Freethought Internet