StoneGate 5.0: Domains
(10 votes, average: 4.90 out of 5)
Loading ...This is a killer feature especially for Managed Service Providers!
You can now isolate your customer environments to isolated sub domains. This feature makes sure the elements that belong to different customers are not mixed in any contexts. You can even have the element with the same name in several sub domains. Of course some elements are worth sharing… If you keep the element in the “Shared Domain” that element is visible in all the sub domains. This way you can use e.g. common policy templates for many customers. You have the total control of what is shown in each domain.
Domains are naturally taken into account in administrator permission control settings. You can configure which administrators take care of which domains and what privileges they have in each domain. When an administrator logs in he will see a “Domain Overview” of those domains he has been granted to. You can also create administrators inside a sub domain. That kind of “local administrator” has implicitly access to only the sub domain where his administrator account has been created.
Domains is not only a feature for MSSPs. It is a very convenient concept for large enterprise customers as well. In that case you can isolate e.g. your business areas to separate domains and create the local administrator accounts inside the sub domains.
Domains require an additional license. Once SMC 5.0 is published, get the evaluation license, play with the Domains and see how well they suit for your needs! Or if you have any questions about the domains, just ask your questions here in the StoneBlog.
6 Responses to “StoneGate 5.0: Domains”
Leave a Reply
You must be logged in to post a comment.
February 9th, 2009 at 5:41 pm
Can multiple domains use the same firewall objects? For example can eth0 have multiple aliases based on domains/customer ? Or will I need to have separate physical interfaces (firewalls?) per domain?
In short, is this only to separate “administrators, objects and rulebases” in the management? Wich I guess is just fine.
Oh, and this upcoming 5.0 looks REALLY promising. Really hope you guys get this firewall out there. More buzz, more exposure, more noice.
Working now with Checkpoint (Provider-1) and Netscreen (NSM, Netscreen Security Manager) I long for a powerful firewall management like this. Checkpoint is so dated, pretty much the same as the “first” Next Generation (4.1 in 2000 I think it was) and oh so bloated. Netscreen’s are really nice firewalls, their NSM however is a completely different story all together. It’s like sitting in a Trabant watching a nice slick sports car roll by.
February 9th, 2009 at 7:56 pm
Will there be also something like a domain based Web Portal where customers may have a look to their currently installed policy or created reports?
February 10th, 2009 at 10:03 am
Thanks for your interesting questions!
Johan, StoneGate’s Domain solution is mainly for separating administrators’ responsibilities, engines, network elements, policies, logs, statistics etc. Of course it is possible to keep some of your engines in the Shared Domain but that makes the engine elements visible to all your subdomains. That’s why we recommend that you place the customers’ engines to separate subdomains and keep only those elements in the Shared Domain you really want to share.
If you have a lots of small customers and you want to use the same engine for managing a group of small customers it is probably worth putting those customers’ elements in to a single subdomain and use StoneGate’s engine aliases, role based access control and other existing StoneGate features inside the domain.
You mentioned domain specific aliases… Would you see use cases for that kind of enhancement? How would you like to use them?
————
Phenox, your rumours about the Web Portal are correct! We will provide an easy-to-use, light-weight web user interface that gives your customers access to view the policies, reports and logs. I will publish some more information about the Web Portal tomorrow as a separate article
.
February 12th, 2009 at 2:25 am
Ok, maybe I am a bit vague. What I ment with aliases is interface aliases. In other words, I’d like to separate a physical interface on a firewall with a VLAN per customer and then have those VLAN interfaces belonging to a particular customer “domain”.
February 12th, 2009 at 2:38 am
Oh,
I’d think twice on running a firewall for BlackMesa! Or maybe it’s allright; They’ve Gordon Freeman after all.
February 12th, 2009 at 8:40 am
Johan, StoneGate 5.0 does not let you to separate physical interfaces or VLANs of the same firewall engine to different domains. But you can use VLANs and interface aliases of course inside any subdomain. In that case the domain concept restricts the visibility anyway to only those customer elements that are using that specific firewall.
The domain solution StoneGate provides is ideal for those MSSPs who typically have dedicated engines per customer.