Firewall Wizards mailing list archives
RE: Managed Firewall Service - Opinions
From: "Paul D. Robertson" <proberts () patriot net>
Date: Mon, 21 Apr 2003 10:09:28 -0400 (EDT)
On Mon, 21 Apr 2003, Melson, Paul wrote:
Ron, I would hope that most, if not all, managed service providers would advise against perceptibly risky firewall change requests, otherwise
Change is perceptibly risky. Especially anything that opens up something. Firewalls' protection mechanisms are based on what they disallow, and "should I allow $foo" is a risk decision that ideally is made with enough of a view into the business to build a comprehensive view of what is and isn't acceptible. Also, non-firewall mitigations may limit the risk in some scenerios that only someone with a deep view of the business would understand.
what's the purpose of outsourcing to experts? Risk analysis should be
There are two purposes, the first, and main is *operational* outsourcing. 24x7 coverage, alerting, event interpretation and reporting, platform maintenance, etc. The second is being able to ask "what's the best way to do $foo?"
part of any security service provided by a third party. In the same vein, what good is a managed IDS or a VA if the engineer performing the work can't identify the risks to their customer? That doesn't seem like a valuable service to me. Just my $0.02.
The risks that can be identified are at a broad level, unless the customer is asking for something that's so basically silly that anyone would notice and alert on it. Anyone who expects magical insight is fooling themselves at the price points MSSPs charge. A full security service looks at a heck of a lot more than just the firewall ruleset (and costs a heck of a lot more than managed monitoring of one or two devices.) For example, "I need one IP address to be able to access the internal network, here's the address..." when the address is a static DSL IP for a member of the network administration department, it's winter and the region is likely to be blanketed with snow is something different than when the address is a desktop in the local college's student pool where the administrator happens to be taking classes at night, or sits in the lobby of a remote building where someone wanted visitors to be able to check the phone directory. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Managed Firewall Service - Opinions, (continued)
- Re: Managed Firewall Service - Opinions R. DuFresne (Apr 18)
- Re: Managed Firewall Service - Opinions Mike Scher (Apr 18)
- PIX Config Problem Paul Stewart (Apr 22)
- Re: Managed Firewall Service - Opinions Mike Hoskins (Apr 18)
- Re: Managed Firewall Service - Opinions R. DuFresne (Apr 19)
- Re: Managed Firewall Service - Opinions Mike Hoskins (Apr 19)
- Re: Managed Firewall Service - Opinions R. DuFresne (Apr 19)
- RE: Managed Firewall Service - Opinions Behm, Jeffrey L. (Apr 19)
- RE: Managed Firewall Service - Opinions Melson, Paul (Apr 21)
- RE: Managed Firewall Service - Opinions Dave Piscitello (Apr 21)
- RE: Managed Firewall Service - Opinions Mark Tinberg (Apr 25)
- RE: Managed Firewall Service - Opinions Paul D. Robertson (Apr 21)
- RE: Managed Firewall Service - Opinions Dave Piscitello (Apr 21)
- RE: Managed Firewall Service - Opinions Melson, Paul (Apr 21)
- RE: Managed Firewall Service - Opinions Paul D. Robertson (Apr 21)
- RE: Managed Firewall Service - Opinions Melson, Paul (Apr 21)
- RE: Managed Firewall Service - Opinions Dave Piscitello (Apr 21)