[183210] in North American Network Operators' Group
Re: A multi-tenant firewall for an MSSP
daemon@ATHENA.MIT.EDU (Edward Dore)
Tue Aug 18 17:31:07 2015
X-Original-To: nanog@nanog.org
From: Edward Dore <edward.dore@freethought-internet.co.uk>
In-Reply-To: <20150818194836.GA74875@e-fensive.net>
Date: Tue, 18 Aug 2015 22:30:28 +0100
To: "J. Oquendo" <joquendo@e-fensive.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 18 Aug 2015, at 20:48, J. Oquendo <joquendo@e-fensive.net> wrote:
> On Tue, 18 Aug 2015, Blake Dunlap wrote:
>=20
>> Since no one else has mentioned it, I'll dive on that fire.
>>=20
>> Be careful when setting up a multi-tenant security solution that you
>> are not accidentally selling "DoS as a Service" to your clients. =
State
>> is evil, and state sharing with other targets is dangerous. Target
>> sharing with other targets that are outsourcing their security can =
get
>> increasingly scary especially if one of these clients is a juicy
>> target. Make sure you have the infrastructure in place to quickly
>> isolate your clients so that they do not fate share if they become in
>> the focus of DoS attacks. This can mean isolated infrastructure for
>> those you wish to keep up, or sacrificial infrastructure for those =
you
>> are willing to let drop for the greater good.
>>=20
>> -Blake
>>=20
>=20
> Unsure what you meant by this. In a multi-tenant firewall
> implementation (as far as I envision it), all tenants would
> occupy different IP space so I don't get how any of the
> state sessions would be affected. I'd be more concerned
> with not enough sockets.=20
>=20
> Palo Alto has a virtual system set up built specifically
> for this:
>=20
> =
https://www.paloaltonetworks.com/products/features/virtual-systems.html
>=20
> Now if only they'd send me free firewalls for marketing
> them.
>=20
> --=20
> =3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=
=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+=3D+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>=20
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
>=20
> 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463
> https://pgp.mit.edu/pks/lookup?op=3Dget&search=3D0xFC837AF59D8A4463
Back in my corporate days, the company that I was working for had =
persistent problems with a large UK ISP who insisted on providing a =
centralised "managed" firewall service for their multi-site internet =
connectivity (basically an L3VPN with a gateway for internet breakout), =
despite then setting the rules to allow everything as each site on the =
network had its own local firewall under our administrative control.
The ISP were using Cisco FWSM with each customer in their own context =
and the company I was working for would periodically stop receiving any =
responses to DNS lookups irrespective of the server queried. It =
eventually turned out that another customer on the same FWSM kept =
getting DoSed and when this happened it caused some form of resource =
exhaustion (I'm afraid I can't recall the exact details) which broke =
things in the other contexts - the most noticeable of which was the =
protocol inspection/fixup stuff that was looking at DNS traffic!
Of course, this may have been a configuration issue or a problem with =
the specific version of software that the ISP were running.
Edward Dore=20
Freethought Internet=20=
