RE: Managed Firewall Service - Opinions

["Paul D. Robertson" <proberts () patriot net>]

On Mon, 21 Apr 2003, Melson, Paul wrote:

> > There are two purposes, the first, and main is *operational*
> outsourcing.  
> > 24x7 coverage, alerting, event interpretation and reporting, platform 
> > maintenance, etc.  The second is being able to ask "what's the best
> way to 
> > do $foo?"  
>
> Alerting and event interpretation sound like risk analysis tasks to me.

Not really, they're more operational tasks than analytical tasks.  Way 
more math goes into a real risk analysis than "Hmmm, that looks bad, I 
should call someone!"

> If your service provider isn't doing some form of risk analysis based on
> their knowledge of your environment and the Internet in general before
> contacting you, then you could probably replace them with a software
> product, yes?

Not really, again, as I see it, it is more of an operational outsourcing 
than a knowledge outsourcing (or more properly, the knowledge piece is 
really more operational than policy-based.)

> > Anyone who expects magical insight is fooling themselves at the price 
> > points MSSPs charge.  A full security service looks at a heck of a lot
> > more than just the firewall ruleset (and costs a heck of a lot more
> than 
> > managed monitoring of one or two devices.)
>
> I couldn't agree more.  If you read back to the beginning of the thread,
> I gave this exact piece of advice to Frank when he first broached the
> subject.  It's important to work with a vendor that brings more to the
> table than just "a few guys that can write access-lists."  I guess
> because I work for the latter, I failed to distinguish between a service
> provider that only makes requested changes to the firewall and one that
> manages the firewall in conjunction with a bevy of other security
> services.

Oursourcing operational management is different than outsourcing or 
"teaming" or whatever other buzzword you want to use for a larger security 
service.  For people who just want to outsource their firewall/IDS stuff, 
the expectation that some magic security bunny is going to hop over their 
ruleset changes with a risk picture isn't a good expectation to set.
  
Telnet to a *nix box running Solaris 4.3 is something completely different 
from telent to a well-managed mainframe for access to public real estate 
data.  

"A bevy of other security services" cost a bevy of more dollars, and 
requires a significantly larger trust extension.  Plugs like that aren't 
relevant to the thread, and I'll actively resist responding to them 
directly on list[1].

Heck, I don't think most internal company firewall administrators are 
given enough insight into the business to understand the risk implications 
of the changes they're asked to make,

Real risk analysis is a structured and somewhat invasive process that 
requires a lot more insight into a company's network, culture, policies, 
operational levels, business, growth strategy, etc. than folks contracting 
firewall management and monitoring tend to get.

Paul
[1.]  My employer competes in this space, and I moderate the list, I'll be 
more than happy to respond off-list, but marketing-ish slants aren't 
appropriate here.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards