RE: [fw-wiz] Managed Firewall Service - Opinions

From: Dave Piscitello (
Date: 04/21/03

  • Next message: Paul D. Robertson: "RE: [fw-wiz] Managed Firewall Service - Opinions"
    From: Dave Piscitello <>
    Date: Mon, 21 Apr 2003 09:38:34 -0400

    We all *hope* this is the case.

    But a firewall change that we might all conclude is "risky" is too quickly
    reduced to
    "the cost of doing business" for some companies, especially when companies
    to engage multiple external service providers.

    Example. Company A hires MSSP B to run their firewall.
    Company A installs 3rd party software and server for vacation rental business.
    Company C manages this server and insists that they have telnet access to
    their server. While MSSP B might advise against inbound telnet, Company A
    chooses to go with Company C's recommended "safe telnet" configuration
    (inbound only from their remote administration IP address) and insists MSSP
    B allow the

    Company A is acting unwisely. Company C is introducing a vulnerability and risk
    many would deem unacceptable. MSSP does what the customer asks.

    [true story...]

    At 07:36 AM 4/21/2003 -0400, Melson Paul wrote:
    >I would hope that most, if not all, managed service providers would
    >advise against perceptibly risky firewall change requests, otherwise
    >what's the purpose of outsourcing to experts? Risk analysis should be
    >part of any security service provided by a third party. In the same
    >vein, what good is a managed IDS or a VA if the engineer performing the
    >work can't identify the risks to their customer? That doesn't seem like
    >a valuable service to me. Just my $0.02.
    >-----Original Message-----
    >From: R. DuFresne []
    >Sent: Thursday, April 17, 2003 11:10 PM
    >To: Duncan Sharp
    >Cc: Melson, Paul;
    >Subject: Re: [fw-wiz] Managed Firewall Service - Opinions
    >Most MSSP's will put into place the rules that your site asks for.
    >This seems to mitigate the issue of whom is at fault for a breach based
    >upon configuration. Now they <the MSSP> are 'supposed' to be the
    >professionals, but, how many will actually caution the client when they
    >want to make the rulebae turn their firewall into a router, or simply
    >impliment a rule or two that are not considered 'safe' or secure?
    >firewall-wizards mailing list

    David M. Piscitello
    Core Competence, Inc. &
    3 Myrtle Bank Lane
    Hilton Head, SC 29926

    firewall-wizards mailing list

  • Next message: Paul D. Robertson: "RE: [fw-wiz] Managed Firewall Service - Opinions"

    Relevant Pages

    • RE: [fw-wiz] Best practices for outsourcing firewall management
      ... The idea is to have the MSSP monitoring what the infrastructure provider is ... ISP/telco/hosting provider simply responsible for "facilities" (aircon, UPS, ... include being responsible for replacing firewall and ids hardware as ... (including discussion with the Gateway Operator) ...
    • Re: IS ANYONE THERE???
      ... I just dont get a picture, just a box where it should be. ... disabling my firewall (risky) and still nothing :-( ...