Re: [fw-wiz] Managed Firewall Service - Opinions

From: R. DuFresne (dufresne@sysinfo.com)
Date: 04/18/03

  • Next message: Luca Berra: "Re: [fw-wiz] RE: PIX Version 6.1.3" 
    From: "R. DuFresne" <dufresne@sysinfo.com>
To: Duncan Sharp <drsharp@pacbell.net>
Date: Thu, 17 Apr 2003 23:09:43 -0400 (EDT)

    Most MSSP's will put into place the rules that your site asks for.
    This seems to mitigate the issue of whom is at fault for a breach based
    upon configuration. Now they <the MSSP> are 'supposed' to be the
    professionals, but, how many will actually caution the client when they
    want to make the rulebae turn their firewall into a router, or simply
    impliment a rule or two that are not considered 'safe' or secure?

    Thanks,

    Ron DuFresne

    On Thu, 17 Apr 2003, Duncan Sharp wrote:

    > "Melson, Paul" wrote:
    >
    > > To be fair, any security services company with a half-way decent legal department will require some level of disclaimer like this in their SLA, or any contract for that matter. You're asking too much if you want to pay a vendor $15K-$20K/yr and expect them to pay 10x to 100x that back if there's a security incident. I can't think of any industry where a vendor assumes that level of risk. That doesn't mean you can't still sue them, though, if you feel their was negligence or incompetence on their part.
    > >
    >
    > Paul;
    >
    > I can think of at least two service areas:
    >
    > 1: Rent-a-guards, where either the guards are bonded or
    > the guard service is insured.
    >
    > 2: Offsite tape {data,document} storage providers. Where the employees
    > are bonded. Hopefully the company offers insurance as an option.
    >
    > It would seem to be prudent to offer some sort of performance penalty in
    > the contract, than to leave the outsourcing company exposed to unlimited
    > damages.
    >
    > In other words offer the customer upto 10x the yearly service fee in
    > verified damages.
    >
    > One additional item of consideration of inhouse vs. outsource:
    >
    > If the inhouse employee(s) fail, I can feel the satisfaction of firing them.
    > This best works for a "at will employee in the US".
    >
    > If the outsourcer fails, I can feel the satisfaction of [???? ???? ????].
    >
    > Yours,
    > Duncan Sharp
    >
    > >
    > > > -----Original Message-----
    > > > From: Jeffery.Gieser@minnesotamutual.com@AICNOTES
    > > > Sent: Thursday, April 17, 2003 11:39 AM
    > > > To: firewall-wizards@honor.icsalabs.com
    > > > Cc: Fiamingo, Frank
    > > > Subject: Re: [fw-wiz] Managed Firewall Service - Opinions
    > > >
    > > [...snip...]
    > > >
    > > > 4. They usually force you to sign an agreement stating they are not
    > > > resposible for any security incident at your site even if it results from a
    > > > configuration mistake that they made on your firewall.
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > 

    -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Luca Berra: "Re: [fw-wiz] RE: PIX Version 6.1.3"