[183184] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: A multi-tenant firewall for an MSSP

daemon@ATHENA.MIT.EDU (Dave Taht)
Mon Aug 17 12:53:36 2015

X-Original-To: nanog@nanog.org
In-Reply-To: <20150817072728.GA24988@Mail.DDoS-Mitigator.net>
Date: Mon, 17 Aug 2015 18:53:34 +0200
From: Dave Taht <dave.taht@gmail.com>
To: alvin nanog <nanogml@mail.ddos-mitigator.net>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org

On Mon, Aug 17, 2015 at 9:27 AM, alvin nanog
<nanogml@mail.ddos-mitigator.net> wrote:
>
> hi
>
>> On Mon, Aug 17, 2015 at 10:16 AM, Ramy Hashish <ramy.ihashish@gmail.com>
>> wrote:
>>
>> We are planning to implement a multi-tenant FW/UTM and start providing
>> security as a service, I would like to hear if anybody had experience on
>
> that'd be a good thing ... but ...
>
>> this, and if there are any recommendations for the UTM's vendor.
>
> the possible vendors would depend on the answers to your idea of
> what is "well rounded solution"
>
>         # fortinet's (possible) competitors
>         http://ddos-Mitigator.net/Competitors
>
>> People/customers here are more familiar with the Fortigate, however, we
>> need to build a well-rounded solution that suits wide range of enterpris=
es'
>> business needs.
>
> # i doubt there is one product that provides the "well rounded solution"
>
> in my world, "well rounded solution" would imply at least the following:
> - anti virus solution  ( one or more products to resolve the virus issue =
)
> - anti spam solution  ( one or more products to resolve the spam issue )
> - iptables with tarpit ( protect against the free tcp-based script kiddie=
s tests )
> - udp limiting at isp ( part of iptables or your edge routers )
> - icmp limiting at isp ( part of iptables or your edge routers )
> - ingress/egress filters for your downlinks
> - geographically distributed colo to mitigate small/medium sized ddos att=
acks
> - regulatory compliance this and certified that vs "just anybody" ...
> - good response time to fix problems reported by competent customer's IT =
folks
> - other things you deem important to provide ..

+ Good AQM and queue management

Sophos has fq_codel. /me happy.
> pixie dust
> alvin
> #
> # ddos-Mitigator.net
> # ddos-Simulator.net
>



--=20
Dave T=C3=A4ht
worldwide bufferbloat report:
http://www.dslreports.com/speedtest/results/bufferbloat
And:
What will it take to vastly improve wifi for everyone?
https://plus.google.com/u/0/explore/makewififast
home help back first fref pref prev next nref lref last post