RE: [fw-wiz] Managed Firewall Service - Opinions
From: Dave Piscitello (firstname.lastname@example.org)
From: Dave Piscitello <email@example.com> To: firstname.lastname@example.org Date: Mon, 21 Apr 2003 09:38:34 -0400
We all *hope* this is the case.
But a firewall change that we might all conclude is "risky" is too quickly
"the cost of doing business" for some companies, especially when companies
to engage multiple external service providers.
Example. Company A hires MSSP B to run their firewall.
Company A installs 3rd party software and server for vacation rental business.
Company C manages this server and insists that they have telnet access to
their server. While MSSP B might advise against inbound telnet, Company A
chooses to go with Company C's recommended "safe telnet" configuration
(inbound only from their remote administration IP address) and insists MSSP
B allow the
Company A is acting unwisely. Company C is introducing a vulnerability and risk
many would deem unacceptable. MSSP does what the customer asks.
At 07:36 AM 4/21/2003 -0400, Melson Paul wrote:
>I would hope that most, if not all, managed service providers would
>advise against perceptibly risky firewall change requests, otherwise
>what's the purpose of outsourcing to experts? Risk analysis should be
>part of any security service provided by a third party. In the same
>vein, what good is a managed IDS or a VA if the engineer performing the
>work can't identify the risks to their customer? That doesn't seem like
>a valuable service to me. Just my $0.02.
>From: R. DuFresne [mailto:email@example.com]
>Sent: Thursday, April 17, 2003 11:10 PM
>To: Duncan Sharp
>Cc: Melson, Paul; firstname.lastname@example.org
>Subject: Re: [fw-wiz] Managed Firewall Service - Opinions
>Most MSSP's will put into place the rules that your site asks for.
>This seems to mitigate the issue of whom is at fault for a breach based
>upon configuration. Now they <the MSSP> are 'supposed' to be the
>professionals, but, how many will actually caution the client when they
>want to make the rulebae turn their firewall into a router, or simply
>impliment a rule or two that are not considered 'safe' or secure?
>firewall-wizards mailing list
David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
firewall-wizards mailing list