Another way to have your cake would be to combine all of your customers under one centralized firewall. This requires that you set up your security policy very carefully so you don't inadvertently open up access between customers' networks. It also means that you wind up with one very large, very complex set of rules. And, of course, the more complicated the ruleset, the greater the chance that you'll screw up when making changes. A mistake could deny access to the customer -- or even to another customer that didn't even request a change.
A mistake in the other direction could open up too much access, and we all know the potential consequences of that. In addition, it would be nice to let customers at least look at their own policies so they don't have to call your tech support every time they have a question. This isn't practical when you have one big policy.
The solution? A collocated firewall. We went looking for these products and found two vendors that not only let you eat your cake but divide it into nice, neat slices as well. In fact, participation in this review required that vendors submit products with features specifically designed to manage multiple firewall policies on the same firewall, in a multi-tenant environment. Keep in mind that this is different than just managing multiple policies on the same management station, with a corresponding firewall for each policy. When you store multiple policies on one management station, there is still a dedicated policy for each individual firewall. We're talking about the inverse: One firewall, many simultaneous policies. In some ways, this setup is even more difficult for the firewall vendor to pull off.
Another requirement we had was that the devices should be capable of gigabit connectivity. And, we wanted products that could be set up for stateful failover. This was a tall order, and as a result, only two vendors made the grade. Lucent Technologies submitted a pair of its Brick 1000 devices, and NetScreen Technologies sent us two NetScreen-500s.
Both products have all the advantages of an appliance. There is no operating system to install or lock down and no software to load. This isn't a big deal if you have a small number of firewalls, but if you have a lot of them, the time saved by avoiding these steps can add up.
In addition, both vendors were able to divide up their firewalls into virtual firewalls, each with its own dedicated 802.1q VLAN (virtual LAN). This makes it possible to have a switch on both sides of the firewall. Each switch can then have an 802.1q trunk to the firewall on one end, with a port dedicated to each customer's VLAN on the other end. A VLAN is the best way to logically segregate customer networks without devoting equipment to every piece of every customer network, so the technology is an obvious fit. Just be careful: If you misconfigure your VLAN, you could potentially open up holes between your customers' networks. (For more information, see "Are there Vulnerabilities in VLAN Implementations?").
Still, no matter how you slice it, we were dealing with some serious complexities here. VLANs are tricky in the best of circumstances -- you have to implement and document them carefully. Dropping a firewall into the mix only makes the process more complicated. Both NetScreen's and Lucent's products did a good job of clearly delineating VLANs and their associated rulesets. They also were both able to provide selective administrative access to the individual policies. In general, though, Lucent's LSMS (Lucent Security Management Server) did a much better job managing the whole shebang. In fact, strong management and reporting capabilities, along with better performance, earned Lucent's Brick 1000 our Editor's Choice award. (For more on LSMS, see "Lucent Brick 1000 and LSMS 6.0 Beta: Hotter Than a Haitian Sunset.")
REPORTS
ANALYTICS
Follow 
