Re: Firewall administration.

["Larry J. Hughes Jr." <larry () nwnet net>]

Adam Shostack <adam () homeport org> writes:

> So what should a small company do?  They don't have the skill in
> house; probably can't find someone good to bring in as a consultant or
> staff member, since the big players pay more.  So, should they not buy
> a FW when connecting to the internet?  Even a badly done screening
> router offers some protection.  (It also offers overmuch peace of
> mind; but a good fitness for purpose warranty might fix that.)

I joined the list mid-stream, so hopefully my $0.02 isn't redundant.  

We have to address this all the time with our customers, which range from
the very small to the very large.  (We are a good-sized regional ISP.) 
The general case of simply setting up a full-fledged firewall for a small-
to medium-sized business is very rarely a good idea, because after the
setup they still aren't security savvy -- so they may later end up worse
off than just having some basic packet filtering in the router.

Our solution was to invent several levels of managed firewall service,
which scale in features (hence cost) according to the customer's purse. 
The variance in features has more to do with value-add and incident
handling priority than it does with overall quality of service.

The downside is, yes, it costs them some money.  The upside is it costs
them only a fraction of what it does to hire a single security expert. 
They also inherit the windfall of not having to worry about a single
in-house security guru leaving for greener pastures, which happens too
often in this business.

---
Larry J. Hughes Jr.    larry () nwnet net     http://www.nwnet.net/~larry/