Re: [fw-wiz] Managed Firewall Service - Opinions

From: R. DuFresne (dufresne@sysinfo.com)
Date: 04/18/03

  • Next message: Josh Welch: "RE: [fw-wiz] ip range with iptables" 
    From: "R. DuFresne" <dufresne@sysinfo.com>
To: Mike Hoskins <mike@adept.org>
Date: Fri, 18 Apr 2003 16:15:27 -0400 (EDT)

    On Fri, 18 Apr 2003, Mike Hoskins wrote:

    > From: "R. DuFresne" <dufresne@sysinfo.com>
    > To: Duncan Sharp <drsharp@pacbell.net>
    > Subject: Re: [fw-wiz] Managed Firewall Service - Opinions
    > > Most MSSP's will put into place the rules that your site asks for.
    > > This seems to mitigate the issue of whom is at fault for a breach based
    > > upon configuration. Now they <the MSSP> are 'supposed' to be the
    > > professionals, but, how many will actually caution the client when they
    > > want to make the rulebae turn their firewall into a router, or simply
    > > impliment a rule or two that are not considered 'safe' or secure?
    >
    > That raises an interesting question. As 'professionals', one would assume
    > some code of professional ethics. I know, for example, that as a CISSP
    > there are certain guidelines you are supposed to follow.

    Which raises a question also; if the employer pays for you to get
    certified, and many do, then where do the loyalties of the certified
    professional lay? <see below>

    > Perhaps the good
    > MSSP's (likely the ones that hire the good 'professionals') are the ones
    > that do caution the client.

    We found this to be based more upon the corporate climate then an
    adherence to an ethical standing based upon principals equated to a
    certifying authority.

    > Afterall, if an MSSP is simply going to do
    > what the customer says with no questions asked or any attempt to
    > understand the client's requirements and implement the best possible
    > solution... Then why pay an MSSP? Sure they'll manage the equipment and
    > sift through logs for you, but the 'value-add' is greatly reduced IMCO.
    >

    How many MSSP's actually proclaim they will not allow a *paying* client to
    shoot themselves in the foot though? Are there known instances from the
    group that have gone the outsourced route whence the MSSP refused to
    impliment a policy change that was requested from authorized personnel
    for the client? The question might well arise about who is actually in
    control of the managed service...the payee or the payor?

    Thanks,

    Ron DuFresne 

    -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Josh Welch: "RE: [fw-wiz] ip range with iptables"

    Relevant Pages