Multitenant FWs

David_Oramas · May 2, 2011, 1:42am

Hi,
What do you guys recommend for Multitenant Firewalls with support for over 1,000+ users/contexts?
I have looked at Centrinet's Accessmanager and Barracuda NG Firewall. Any other players/products?
Many Thanks in advance for the input,

Mark_Gauvin · May 2, 2011, 1:46am

Paloalto Networks build some nice gear

Stefan_Fouant3 · May 2, 2011, 3:05am

When I worked on building out Verizon's Network Based Firewall solution many
years ago, I chose Juniper NS-5400 platforms due to their multitenancy
capabilities and ability to support literally thousands of virtual firewall
contexts and many times that for users. This decision was made after an
exhaustive analysis of competing solutions from Checkpoint, Cisco, and
Juniper. Juniper's SRX line of products might make a good fit, but they
currently don't have full Logical System support which would certainly be a
requirement for any multi-tenant offering. However, Logical System support
is on the roadmap so you might want to look into this depending on your
timeframe for deployment.

As the other list member pointed out, Palo Alto does make some really nice
gear and I have really been impressed with their Application Layer
Firewalling capability (Application Identification, Web Firewalling, etc),
however, I was suitably unimpressed with their multitenant capability and
think you might be hard pressed to offer such an offering to more than one
customer using such a device.

Stefan Fouant

Christopher_Morrow · May 2, 2011, 3:56am

From: David Oramas [mailto:david.oramas@aptel.com.au]
Sent: Sunday, May 01, 2011 9:42 PM
To: nanog@nanog.org
Subject: Multitenant FWs

Hi,
What do you guys recommend for Multitenant Firewalls with support for
over 1,000+ users/contexts?
I have looked at Centrinet's Accessmanager and Barracuda NG Firewall.
Any other players/products?
Many Thanks in advance for the input,

one thing to keep in mind is that as near as I can tell no vendor (not
a singl eone) has actual hard limits configurable for each tenant
firewall instance. So, one can use all of the 'firewall rule'
resources, one can use all of the 'route memory' ... leaving other
instances flailing

In my mind, unless you have very loose sla's or are highly
overprovisioned... until vendors treat this basic problem this model
is a failure.

When I worked on building out Verizon's Network Based Firewall solution many
years ago, I chose Juniper NS-5400 platforms due to their multitenancy
capabilities and ability to support literally thousands of virtual firewall
contexts and many times that for users. This decision was made after an

yup.. too bad no actual customers showed up (well, not any in real
numbers... though not due to the tech on the FW side, nor the
engineering work)

As the other list member pointed out, Palo Alto does make some really nice
gear and I have really been impressed with their Application Layer
Firewalling capability (Application Identification, Web Firewalling, etc),
however, I was suitably unimpressed with their multitenant capability and
think you might be hard pressed to offer such an offering to more than one
customer using such a device.

no support for actual limits on resources, eh? nothing on at least:

memory dedicated to a tenant
routing resources
packet processing resources
inspection rule resources
bandwidth/through-put
management operations

(I'm sure I left some off, but the above would be an excellent thing
to see vendors support with hard limits THAT I CAN CONFIGURE!!)

-chris

Stefan_Fouant3 · May 2, 2011, 4:20am

Ahem, actually ScreenOS does support just such a thing through the use of
resource profiles - with this you can limit the amount of CPU, Sessions,
Policies, MIPs and DIPs (used for NAT), and other user defined objects such
as address book entries, etc. that each VSYS can avail. This was one of the
primary drivers behind our decision to utilize the NS-5400 for Verizon's
NBFW (you remember that place right Chris, heh')

Stefan Fouant

Christopher_Morrow · May 2, 2011, 5:35am

From: christopher.morrow@gmail.com
[mailto:christopher.morrow@gmail.com] On Behalf Of Christopher Morrow

one thing to keep in mind is that as near as I can tell no vendor (not
a singl eone) has actual hard limits configurable for each tenant
firewall instance. So, one can use all of the 'firewall rule'
resources, one can use all of the 'route memory' ... leaving other
instances flailing

Ahem, actually ScreenOS does support just such a thing through the use of
resource profiles - with this you can limit the amount of CPU, Sessions,
Policies, MIPs and DIPs (used for NAT), and other user defined objects such
as address book entries, etc. that each VSYS can avail. This was one of the

good to know... I wonder how well it isolates.

primary drivers behind our decision to utilize the NS-5400 for Verizon's
NBFW (you remember that place right Chris, heh')

i do, occasionally via the twitching

Stefan_Fouant3 · May 2, 2011, 5:40am

From: christopher.morrow@gmail.com
[mailto:christopher.morrow@gmail.com] On Behalf Of Christopher Morrow
>
> Ahem, actually ScreenOS does support just such a thing through the
use of
> resource profiles - with this you can limit the amount of CPU,
Sessions,
> Policies, MIPs and DIPs (used for NAT), and other user defined
objects such
> as address book entries, etc. that each VSYS can avail. This was one
of the

good to know... I wonder how well it isolates.

Ask the Vz marketing folks... oh, wait, 1 customer isn't really enough to
demonstrate how well it isolates after all I guess

> primary drivers behind our decision to utilize the NS-5400 for
Verizon's
> NBFW (you remember that place right Chris, heh')

i do, occasionally via the twitching

Hehe...

Stefan Fouant