RE: [fw-wiz] Managed Firewall Service - Opinions
From: Paul D. Robertson (firstname.lastname@example.org)
From: "Paul D. Robertson" <email@example.com> To: "Melson, Paul" <PMelson@sequoianet.com> Date: Mon, 21 Apr 2003 10:09:28 -0400 (EDT)
On Mon, 21 Apr 2003, Melson, Paul wrote:
> I would hope that most, if not all, managed service providers would
> advise against perceptibly risky firewall change requests, otherwise
Change is perceptibly risky. Especially anything that opens up
something. Firewalls' protection mechanisms are based on what they
disallow, and "should I allow $foo" is a risk decision that ideally is
made with enough of a view into the business to build a comprehensive view
of what is and isn't acceptible. Also, non-firewall mitigations may
limit the risk in some scenerios that only someone with a deep view of the
business would understand.
> what's the purpose of outsourcing to experts? Risk analysis should be
There are two purposes, the first, and main is *operational* outsourcing.
24x7 coverage, alerting, event interpretation and reporting, platform
maintenance, etc. The second is being able to ask "what's the best way to
> part of any security service provided by a third party. In the same
> vein, what good is a managed IDS or a VA if the engineer performing the
> work can't identify the risks to their customer? That doesn't seem like
> a valuable service to me. Just my $0.02.
The risks that can be identified are at a broad level, unless the customer
is asking for something that's so basically silly that anyone would notice
and alert on it.
Anyone who expects magical insight is fooling themselves at the price
points MSSPs charge. A full security service looks at a heck of a lot
more than just the firewall ruleset (and costs a heck of a lot more than
managed monitoring of one or two devices.)
For example, "I need one IP address to be able to access the internal
network, here's the address..." when the address is a static DSL IP
for a member of the network administration department, it's winter and the
region is likely to be blanketed with snow is something different than
when the address is a desktop in the local college's student pool where
the administrator happens to be taking classes at night, or sits in the
lobby of a remote building where someone wanted visitors to be able to
check the phone directory.
Paul D. Robertson "My statements in this message are personal opinions
firstname.lastname@example.org which may have no basis whatsoever in fact."
email@example.com Director of Risk Assessment TruSecure Corporation
firewall-wizards mailing list