RE: [fw-wiz] Managed Firewall Service - Opinions
From: Dave Piscitello (dave@corecom.com)
Date: 04/21/03
- Previous message: Melson, Paul: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- In reply to: Melson, Paul: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- Next in thread: Mark Tinberg: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- Reply: Mark Tinberg: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Dave Piscitello <dave@corecom.com> To: firewall-wizards@honor.icsalabs.com Date: Mon, 21 Apr 2003 09:38:34 -0400
We all *hope* this is the case.
But a firewall change that we might all conclude is "risky" is too quickly
reduced to
"the cost of doing business" for some companies, especially when companies
begin
to engage multiple external service providers.
Example. Company A hires MSSP B to run their firewall.
Company A installs 3rd party software and server for vacation rental business.
Company C manages this server and insists that they have telnet access to
their server. While MSSP B might advise against inbound telnet, Company A
chooses to go with Company C's recommended "safe telnet" configuration
(inbound only from their remote administration IP address) and insists MSSP
B allow the
service.
Company A is acting unwisely. Company C is introducing a vulnerability and risk
many would deem unacceptable. MSSP does what the customer asks.
[true story...]
At 07:36 AM 4/21/2003 -0400, Melson Paul wrote:
>Ron,
>
>I would hope that most, if not all, managed service providers would
>advise against perceptibly risky firewall change requests, otherwise
>what's the purpose of outsourcing to experts? Risk analysis should be
>part of any security service provided by a third party. In the same
>vein, what good is a managed IDS or a VA if the engineer performing the
>work can't identify the risks to their customer? That doesn't seem like
>a valuable service to me. Just my $0.02.
>
>PaulM
>
>-----Original Message-----
>From: R. DuFresne [mailto:dufresne@sysinfo.com]
>Sent: Thursday, April 17, 2003 11:10 PM
>To: Duncan Sharp
>Cc: Melson, Paul; firewall-wizards@honor.icsalabs.com
>Subject: Re: [fw-wiz] Managed Firewall Service - Opinions
>
>
>
>Most MSSP's will put into place the rules that your site asks for.
>This seems to mitigate the issue of whom is at fault for a breach based
>upon configuration. Now they <the MSSP> are 'supposed' to be the
>professionals, but, how many will actually caution the client when they
>want to make the rulebae turn their firewall into a router, or simply
>impliment a rule or two that are not considered 'safe' or secure?
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave@corecom.com
843.689.5595
www.corecom.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Melson, Paul: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- In reply to: Melson, Paul: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- Next in thread: Mark Tinberg: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- Reply: Mark Tinberg: "RE: [fw-wiz] Managed Firewall Service - Opinions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
