RE: [fw-wiz] Managed Firewall Service - Opinions

From: Paul D. Robertson (
Date: 04/21/03

  • Next message: Melson, Paul: "RE: [fw-wiz] Managed Firewall Service - Opinions"
    From: "Paul D. Robertson" <>
    To: "Melson, Paul" <>
    Date: Mon, 21 Apr 2003 10:09:28 -0400 (EDT)

    On Mon, 21 Apr 2003, Melson, Paul wrote:

    > Ron,
    > I would hope that most, if not all, managed service providers would
    > advise against perceptibly risky firewall change requests, otherwise

    Change is perceptibly risky. Especially anything that opens up
    something. Firewalls' protection mechanisms are based on what they
    disallow, and "should I allow $foo" is a risk decision that ideally is
    made with enough of a view into the business to build a comprehensive view
    of what is and isn't acceptible. Also, non-firewall mitigations may
    limit the risk in some scenerios that only someone with a deep view of the
    business would understand.
    > what's the purpose of outsourcing to experts? Risk analysis should be

    There are two purposes, the first, and main is *operational* outsourcing.
    24x7 coverage, alerting, event interpretation and reporting, platform
    maintenance, etc. The second is being able to ask "what's the best way to
    do $foo?"

    > part of any security service provided by a third party. In the same
    > vein, what good is a managed IDS or a VA if the engineer performing the
    > work can't identify the risks to their customer? That doesn't seem like
    > a valuable service to me. Just my $0.02.

    The risks that can be identified are at a broad level, unless the customer
    is asking for something that's so basically silly that anyone would notice
    and alert on it.

    Anyone who expects magical insight is fooling themselves at the price
    points MSSPs charge. A full security service looks at a heck of a lot
    more than just the firewall ruleset (and costs a heck of a lot more than
    managed monitoring of one or two devices.)

    For example, "I need one IP address to be able to access the internal
    network, here's the address..." when the address is a static DSL IP
    for a member of the network administration department, it's winter and the
    region is likely to be blanketed with snow is something different than
    when the address is a desktop in the local college's student pool where
    the administrator happens to be taking classes at night, or sits in the
    lobby of a remote building where someone wanted visitors to be able to
    check the phone directory.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation

    firewall-wizards mailing list

  • Next message: Melson, Paul: "RE: [fw-wiz] Managed Firewall Service - Opinions"