RE: Best practices for outsourcing firewall management

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

The idea is to have the MSSP monitoring what the infrastructure provider is
doing, since the client does not have, or want, the expertise to do this
themselves.

If the MSSP does the changes themselves, it becomes the client's problem to
make sure that they are properly implemented, to a certain extent. (Of
course, not trusting them to implement them correctly, but trusting them to
check that they are done correctly is kind of a contradiction, isn't it?)

Are you suggesting that it is a more feasible approach to have the
ISP/telco/hosting provider simply responsible for "facilities" (aircon, UPS,
bandwidth, backups?, spares for certain hardware (routers, cache-proxies,
etc) ), and leave the MSSP to be responsible for managing (implementing and
reviewing) security devices such as firewalls, IDS, etc, which would also
include being responsible for replacing firewall and ids hardware as
necessary?

Rogan

-----Original Message-----
From: PMelson () analysts com [mailto:PMelson () analysts com] 
Sent: 25 April 2003 10:15 PM
To: Dawes, Rogan (ZA - Johannesburg); firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] Best practices for outsourcing firewall management




What's the purpose of having an ISP maintain the firewall/router instead of
the
MSSP?  Or am I misunderstanding your intent?

I see some disadvantages here.  First, if your MSSP is going to perform IDS
monitoring, this creates a major delay in their ability to respond to an
incident by blocking attackers.  Second, many providers that host firewalls
don't like to share.  That is to say, it's good practice to interface
directly
and exclusively with the customer in order to authenticate any changes and
make
sure that they are what the customer wants.  A large MSSP is going to have a
breadth of staff that can handle customer change requests, which is a good
thing, but means that the provider that implements changes on the gateway
will
need a lousy security policy, which is a bad thing.

Third, and this comes from my own personal bias, most telco/ISP shops have
such
lousy security I wouldn't trust them further than I can throw them.  If it
were
me, not only would I not want them implementing changes on a customer
firewall,
I wouldn't want them to manage the border router outside of the firewall,
either.  I understand wanting to implement checks and balances, but I feel
that
including an ISP as an integral part of a security services equation is less
of
"defense in depth" and more of "the weakest link."

If you are trying to build in local hw/sw support for the firewall, consider
making that part of the SLA when evaluating the MSSP.  Even if the firewall
is
managed in a central location, many MSSPs may have regional integrator
practices
nearby that can get hardware and a skilled engineer to the customer within
hours
of a failure.  This may have the added bonus of being cheaper than your
original
idea since several of us (MSSPs) include this automatically in our managed
firewall services.

PaulM

>  -----Original Message-----
> My proposal to them has been along the following lines:
>
> * Internal company managed policy setting, and change control process
> * Outsourced Managed Security Service Provider (e.g. counterpane, IBM
Global
> Services, etc)
> * regional Gateway operators (regional telco, other large ISP, etc. NOT
the
> same as the MSSP)
>
> The process would be something like:
>
> * division in the company identifies a need for a change to the gateway
> (e.g. allowing a new service, putting a new machine in the gateway
> infrastructure, etc)
> * the MSSP consults on the potential impact that this could have in terms
of
> security, (including discussion with the Gateway Operator)
> * the MSSP ultimately instructs the Gateway Operators to perform the
> accepted change.
> * The Gateway operator implements the change.
> * The MSSP reviews the changes made to the infrastructure, to ensure that
> what changed was what was approved.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards