[140102] in North American Network Operators' Group
Re: Multitenant FWs
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Sun May 1 23:57:22 2011
In-Reply-To: <009f01cc0875$d75d3ef0$8617bcd0$@net>
Date: Sun, 1 May 2011 23:56:31 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Stefan Fouant <sfouant@shortestpathfirst.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, May 1, 2011 at 11:05 PM, Stefan Fouant
<sfouant@shortestpathfirst.net> wrote:
>> -----Original Message-----
>> From: David Oramas [mailto:david.oramas@aptel.com.au]
>> Sent: Sunday, May 01, 2011 9:42 PM
>> To: nanog@nanog.org
>> Subject: Multitenant FWs
>>
>> Hi,
>> What do you guys recommend for Multitenant Firewalls with support for
>> over 1,000+ users/contexts?
>> I have looked at Centrinet's Accessmanager and Barracuda NG Firewall.
>> Any other players/products?
>> Many Thanks in advance for the input,
one thing to keep in mind is that as near as I can tell no vendor (not
a singl eone) has actual hard limits configurable for each tenant
firewall instance. So, one can use all of the 'firewall rule'
resources, one can use all of the 'route memory' ... leaving other
instances flailing :(
In my mind, unless you have very loose sla's or are highly
overprovisioned... until vendors treat this basic problem this model
is a failure.
> When I worked on building out Verizon's Network Based Firewall solution m=
any
> years ago, I chose Juniper NS-5400 platforms due to their multitenancy
> capabilities and ability to support literally thousands of virtual firewa=
ll
> contexts and many times that for users. =A0This decision was made after a=
n
yup.. too bad no actual customers showed up :( (well, not any in real
numbers... though not due to the tech on the FW side, nor the
engineering work)
> As the other list member pointed out, Palo Alto does make some really nic=
e
> gear and I have really been impressed with their Application Layer
> Firewalling capability (Application Identification, Web Firewalling, etc)=
,
> however, I was suitably unimpressed with their multitenant capability and
> think you might be hard pressed to offer such an offering to more than on=
e
> customer using such a device.
no support for actual limits on resources, eh? :( nothing on at least:
memory dedicated to a tenant
routing resources
packet processing resources
inspection rule resources
bandwidth/through-put
management operations
(I'm sure I left some off, but the above would be an excellent thing
to see vendors support with hard limits THAT I CAN CONFIGURE!!)
-chris
