Re: Outsourcing.

[David Morrison <dmarriso () spacestar net>]

My suggestion is that you get to know the individuals which are being hired.




Matthew_S_Cramer () armstrong com wrote:

> darrenr () reed wattle id au wrote:
>
> > Have others here had dealings with outsourcing companies and managed to get
> > them to act responsibly with regard to protecting the integrity of their
> > clients' networks or have any stories about such a setup being exploited ?
> > (names need not be mentioned).
>
> We currently have an outsourced firewall solution (*gasp* *groan*).  I am not
> going to name any company names but they are a huge ISP (global).  This
> situation arose because no one here had a clue about internet security (before I
> came...blah blah).  Overall it hasn't been terrible, but I have the following
> problems:
>
>    Lack of technical skill of the ISP / firewall manager.  Even though they are
> huge they still have clueless people in the NOC.  One example that comes to mind
> is one we experienced last year - we were getting piss-poor performance of our
> proxy server during normal business hours.  My theory - Pentium 90 BSDi box is
> too small to handle the load - it should be replaced.  Outsource company's
> theory - we had our DNS (we have split DNS) misconfigured.  After 6 weeks the
> outsourcing company concluded that the Pentium should be replaced by an
> ultraSparc.  Voila!  Problem resolved.  *grrrrr*
>
>    Lack of information for us.  We can't even touch the keyboard on the
> firewall, let alone get a shell.  Even though I intuitively diagnosed the
> problem above it would have been easier to prove to the ISP / outsourcing
> company I was correct if I had access to the machine.
>
>    Backdoors on the firwall - the ISP has a modem on the firewall!!!!
>
> Overall, I think this is a good option for companies that have low cluefulness
> amongst their employees, or can't give 24/7 attention to a firewall using only
> internal employees.  But there are some security risks - namely you can't see
> what they are doing and there are reasons to be worried about incompetence.
>
> We will soon be switching to a more pleasant agreement with a ISP / firewall
> service vendor.  In this agreement they will "own" the hardware and the OS and
> be responsible for patching and replacing busted kit - but the firewall software
> / rulesets / configuration will only be controlled by internal staff.  Getting
> this compromise was the conclusion of over a year of campaigning by me (I've
> only worked here a year and a half).
>
> Matt
>
> Disclaimer: The above represents only my personal comments and does not
> represent an official position of Armstrong World Industries concerning
> companies with whom we do business.