RE: [fw-wiz] Managed Firewall Service - Opinions

From: Paul D. Robertson (
Date: 04/21/03

  • Next message: Melson, Paul: "RE: [fw-wiz] Managed Firewall Service - Opinions"
    From: "Paul D. Robertson" <>
    To: "Melson, Paul" <>
    Date: Mon, 21 Apr 2003 10:09:28 -0400 (EDT)

    On Mon, 21 Apr 2003, Melson, Paul wrote:

    > Ron,
    > I would hope that most, if not all, managed service providers would
    > advise against perceptibly risky firewall change requests, otherwise

    Change is perceptibly risky. Especially anything that opens up
    something. Firewalls' protection mechanisms are based on what they
    disallow, and "should I allow $foo" is a risk decision that ideally is
    made with enough of a view into the business to build a comprehensive view
    of what is and isn't acceptible. Also, non-firewall mitigations may
    limit the risk in some scenerios that only someone with a deep view of the
    business would understand.
    > what's the purpose of outsourcing to experts? Risk analysis should be

    There are two purposes, the first, and main is *operational* outsourcing.
    24x7 coverage, alerting, event interpretation and reporting, platform
    maintenance, etc. The second is being able to ask "what's the best way to
    do $foo?"

    > part of any security service provided by a third party. In the same
    > vein, what good is a managed IDS or a VA if the engineer performing the
    > work can't identify the risks to their customer? That doesn't seem like
    > a valuable service to me. Just my $0.02.

    The risks that can be identified are at a broad level, unless the customer
    is asking for something that's so basically silly that anyone would notice
    and alert on it.

    Anyone who expects magical insight is fooling themselves at the price
    points MSSPs charge. A full security service looks at a heck of a lot
    more than just the firewall ruleset (and costs a heck of a lot more than
    managed monitoring of one or two devices.)

    For example, "I need one IP address to be able to access the internal
    network, here's the address..." when the address is a static DSL IP
    for a member of the network administration department, it's winter and the
    region is likely to be blanketed with snow is something different than
    when the address is a desktop in the local college's student pool where
    the administrator happens to be taking classes at night, or sits in the
    lobby of a remote building where someone wanted visitors to be able to
    check the phone directory.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation

    firewall-wizards mailing list

  • Next message: Melson, Paul: "RE: [fw-wiz] Managed Firewall Service - Opinions"

    Relevant Pages

    • RE: [fw-wiz] RPCs over HTTPS through the firewall
      ... >> it matter much if we add RPC to the sludge? ... > a similar risk profile, although encrypting traffic over 443 ... of the firewall admin's major bugbears. ...
    • RE: RE: Front End/Back End communication
      ... communication between FE/BE via IPSEC then IF the front end server ... How likely is it that someone gets past your firewall? ... the FE and BE communicate in the clear. ... you against the real risk. ...
    • Re: [fw-wiz] Firewall best practices
      ... The problem isn't exclusively that SSL is MITMable: it's the lack of or limited clue when assessing risk. ... While SSL may be in your terms crappy security, you can use it effectively enough so that you aren't the low hanging fruit, and today, there is so much low hanging fruit, effective security is pretty much reduced to creating the perception that someone else is an easier target. ... For example, in many scenarios where SSL is terminated at the firewall, the firewall is the trusted party identified by the server certificate. ...
    • Re: [fw-wiz] A fun smackdown...
      ... systems that don't need the risk, and you lose the risk of implementation ... errors in the firewall, configuration errors, and it then takes physical ... Paul D. Robertson "My statements in this message are personal opinions ...
    • [fw-wiz] New Security Risk Management Solution - Market Feedback Request
      ... We are soon going to be releasing a new security risk management ... solution and I would like to find out if anyone on the Firewall Wizards ... Pulls in firewall and router config files to draw an accurate network ...