Re: Outsourcing firewalls & InfoSec Ops - Part I/II

[chuck yerkes <Chuck () yerkes com>]

With ISP's (that I would work with) who will host machines (or
give me full access to one of theirs), in my experience these
machines are on a separate segments and usually on a switch - so
sniffing from "my" machine becomes somewhat useless.

But then, I bring this sort of security mind set with me when I
deal with these folks.  When UNNAMED VENDOR had problems with me
putting up an SSH daemon on their machine (they run the OS, the
client fills the web data/cgi scripts), it sort of stopped
negotiations.

Would that all their clients thought the same....

It is claimed, but unverified, that Paul D. Robertson wrote:
> On Tue, 9 Dec 1997, Frank Willoughby wrote:
>
> > Further, one huge, nationwide ISP who remotely manages firewalls
> > disclosed the customer's firewall configuration & rules to me
> > over the phone - just because I said I was a security consultant
> > and had the company's permission to obtain this info.  This vendor
> > also managed the firewall by TELNETing into the firewall over the
> > Internet - in cleartext.  Anyone on the Internet along the path
> > from the ISP to the customer could have sniffed the connection
> > to find out the password and reconfigure the firewall.  
>
> It is important to note in this context that even though the service 
> provider is likely the customer's provider, most ISPs do *not* staticly
> route their networks.  It's also important to note that one of the 
> benifits of working for a service provider these days tends to be the 
> ability to place a machine of one's own on their internal network.  I 
> think everyone can draw their own conclusions.