[140101] in North American Network Operators' Group
RE: Multitenant FWs
daemon@ATHENA.MIT.EDU (Stefan Fouant)
Sun May 1 23:06:52 2011
From: "Stefan Fouant" <sfouant@shortestpathfirst.net>
To: "'David Oramas'" <david.oramas@aptel.com.au>,
<nanog@nanog.org>
In-Reply-To: <83AD98028495F940A7228E43CEC97D860473D0F62F@APMAIL.1QR.COM.AU>
Date: Sun, 1 May 2011 23:05:48 -0400
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> -----Original Message-----
> From: David Oramas [mailto:david.oramas@aptel.com.au]
> Sent: Sunday, May 01, 2011 9:42 PM
> To: nanog@nanog.org
> Subject: Multitenant FWs
>
> Hi,
> What do you guys recommend for Multitenant Firewalls with support for
> over 1,000+ users/contexts?
> I have looked at Centrinet's Accessmanager and Barracuda NG Firewall.
> Any other players/products?
> Many Thanks in advance for the input,
When I worked on building out Verizon's Network Based Firewall solution many
years ago, I chose Juniper NS-5400 platforms due to their multitenancy
capabilities and ability to support literally thousands of virtual firewall
contexts and many times that for users. This decision was made after an
exhaustive analysis of competing solutions from Checkpoint, Cisco, and
Juniper. Juniper's SRX line of products might make a good fit, but they
currently don't have full Logical System support which would certainly be a
requirement for any multi-tenant offering. However, Logical System support
is on the roadmap so you might want to look into this depending on your
timeframe for deployment.
As the other list member pointed out, Palo Alto does make some really nice
gear and I have really been impressed with their Application Layer
Firewalling capability (Application Identification, Web Firewalling, etc),
however, I was suitably unimpressed with their multitenant capability and
think you might be hard pressed to offer such an offering to more than one
customer using such a device.
Stefan Fouant
