RE: Managed Firewall Service - Opinions

["Paul D. Robertson" <proberts () patriot net>]

On Mon, 21 Apr 2003, Melson, Paul wrote:

> Ron,
>
> I would hope that most, if not all, managed service providers would
> advise against perceptibly risky firewall change requests, otherwise

Change is perceptibly risky.  Especially anything that opens up 
something.  Firewalls' protection mechanisms are based on what they 
disallow, and "should I allow $foo" is a risk decision that ideally is 
made with enough of a view into the business to build a comprehensive view 
of what is and isn't acceptible.  Also, non-firewall mitigations may 
limit the risk in some scenerios that only someone with a deep view of the 
business would understand.
 
> what's the purpose of outsourcing to experts?  Risk analysis should be

There are two purposes, the first, and main is *operational* outsourcing.  
24x7 coverage, alerting, event interpretation and reporting, platform 
maintenance, etc.  The second is being able to ask "what's the best way to 
do $foo?"  

> part of any security service provided by a third party.  In the same
> vein, what good is a managed IDS or a VA if the engineer performing the
> work can't identify the risks to their customer?  That doesn't seem like
> a valuable service to me.  Just my $0.02.

The risks that can be identified are at a broad level, unless the customer 
is asking for something that's so basically silly that anyone would notice 
and alert on it.

Anyone who expects magical insight is fooling themselves at the price 
points MSSPs charge.  A full security service looks at a heck of a lot 
more than just the firewall ruleset (and costs a heck of a lot more than 
managed monitoring of one or two devices.)

For example, "I need one IP address to be able to access the internal 
network, here's the address..." when the address is a static DSL IP 
for a member of the network administration department, it's winter and the 
region is likely to be blanketed with snow is something different than 
when the address is a desktop in the local college's student pool where 
the administrator happens to be taking classes at night, or sits in the 
lobby of a remote building where someone wanted visitors to be able to 
check the phone directory.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards