Comments on: StoneGate 5.0: Domains

By: teroja

teroja — Thu, 12 Feb 2009 06:40:13 +0000

Johan, StoneGate 5.0 does not let you to separate physical interfaces or VLANs of the same firewall engine to different domains. But you can use VLANs and interface aliases of course inside any subdomain. In that case the domain concept restricts the visibility anyway to only those customer elements that are using that specific firewall.

The domain solution StoneGate provides is ideal for those MSSPs who typically have dedicated engines per customer.

By: Johan Lindgren

Johan Lindgren — Thu, 12 Feb 2009 00:38:48 +0000

Oh,

I’d think twice on running a firewall for BlackMesa! Or maybe it’s allright; They’ve Gordon Freeman after all.

By: Johan Lindgren

Johan Lindgren — Thu, 12 Feb 2009 00:25:29 +0000

Ok, maybe I am a bit vague. What I ment with aliases is interface aliases. In other words, I’d like to separate a physical interface on a firewall with a VLAN per customer and then have those VLAN interfaces belonging to a particular customer “domain”.

By: teroja

teroja — Tue, 10 Feb 2009 08:03:42 +0000

Thanks for your interesting questions!

Johan, StoneGate’s Domain solution is mainly for separating administrators’ responsibilities, engines, network elements, policies, logs, statistics etc. Of course it is possible to keep some of your engines in the Shared Domain but that makes the engine elements visible to all your subdomains. That’s why we recommend that you place the customers’ engines to separate subdomains and keep only those elements in the Shared Domain you really want to share.

If you have a lots of small customers and you want to use the same engine for managing a group of small customers it is probably worth putting those customers’ elements in to a single subdomain and use StoneGate’s engine aliases, role based access control and other existing StoneGate features inside the domain.

You mentioned domain specific aliases… Would you see use cases for that kind of enhancement? How would you like to use them?

————

Phenox, your rumours about the Web Portal are correct! We will provide an easy-to-use, light-weight web user interface that gives your customers access to view the policies, reports and logs. I will publish some more information about the Web Portal tomorrow as a separate article .

By: Phenox_

Phenox_ — Mon, 09 Feb 2009 17:56:51 +0000

Will there be also something like a domain based Web Portal where customers may have a look to their currently installed policy or created reports?

By: Johan Lindgren

Johan Lindgren — Mon, 09 Feb 2009 15:41:05 +0000

Can multiple domains use the same firewall objects? For example can eth0 have multiple aliases based on domains/customer ? Or will I need to have separate physical interfaces (firewalls?) per domain?

In short, is this only to separate “administrators, objects and rulebases” in the management? Wich I guess is just fine.

Oh, and this upcoming 5.0 looks REALLY promising. Really hope you guys get this firewall out there. More buzz, more exposure, more noice.

Working now with Checkpoint (Provider-1) and Netscreen (NSM, Netscreen Security Manager) I long for a powerful firewall management like this. Checkpoint is so dated, pretty much the same as the “first” Next Generation (4.1 in 2000 I think it was) and oh so bloated. Netscreen’s are really nice firewalls, their NSM however is a completely different story all together. It’s like sitting in a Trabant watching a nice slick sports car roll by.