Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Managed Firewall Service - Opinions

From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 18 Apr 2003 16:15:27 -0400 (EDT)
On Fri, 18 Apr 2003, Mike Hoskins wrote:


From: "R. DuFresne" <dufresne () sysinfo com>
To: Duncan Sharp <drsharp () pacbell net>
Subject: Re: [fw-wiz] Managed Firewall Service - Opinions

Most MSSP's will put into place the rules that your site asks for.
This seems to mitigate the issue of whom is at fault for a breach based
upon configuration.  Now they <the MSSP> are 'supposed' to be the
professionals, but, how many will actually caution the client when they
want to make the rulebae turn their firewall into a router, or simply
impliment a rule or two that are not considered 'safe' or secure?


That raises an interesting question.  As 'professionals', one would assume
some code of professional ethics.  I know, for example, that as a CISSP
there are certain guidelines you are supposed to follow.  


Which raises a question also;  if the employer pays for you to get
certified, and many do, then where do the loyalties of the certified
professional lay?  <see below>


Perhaps the good
MSSP's (likely the ones that hire the good 'professionals') are the ones
that do caution the client. 


We found this to be based more upon the corporate climate then an
adherence to an ethical standing based upon principals equated to a 
certifying authority.


Afterall, if an MSSP is simply going to do
what the customer says with no questions asked or any attempt to
understand the client's requirements and implement the best possible
solution...  Then why pay an MSSP?  Sure they'll manage the equipment and
sift through logs for you, but the 'value-add' is greatly reduced IMCO.



How many MSSP's actually proclaim they will not allow a *paying* client to
shoot themselves in the foot though?  Are there known instances from the
group that have gone the outsourced route whence the MSSP refused to
impliment a policy change that was requested from authorized personnel
for the client?  The question might well arise about who is actually in
control of the managed service...the payee or the payor?

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: