On Tue, 18 Aug 2015, Blake Dunlap wrote: > Since no one else has mentioned it, I'll dive on that fire. > > Be careful when setting up a multi-tenant security solution that you > are not accidentally selling "DoS as a Service" to your clients. State > is evil, and state sharing with other targets is dangerous. Target > sharing with other targets that are outsourcing their security can get > increasingly scary especially if one of these clients is a juicy > target. Make sure you have the infrastructure in place to quickly > isolate your clients so that they do not fate share if they become in > the focus of DoS attacks. This can mean isolated infrastructure for > those you wish to keep up, or sacrificial infrastructure for those you > are willing to let drop for the greater good. > > -Blake >
Unsure what you meant by this. In a multi-tenant firewall implementation (as far as I envision it), all tenants would occupy different IP space so I don't get how any of the state sessions would be affected. I'd be more concerned with not enough sockets. Palo Alto has a virtual system set up built specifically for this: https://www.paloaltonetworks.com/products/features/virtual-systems.html Now if only they'd send me free firewalls for marketing them. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "Where ignorance is our master, there is no possibility of real peace" - Dalai Lama 0B23 595C F07C 6092 8AEB 074B FC83 7AF5 9D8A 4463 https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463