Re: Outsourcing.

[Andrew_Bernoth () advantra com au]

Hi,

I currently work for an outsourcing company.  We do look after a number of
firewalls for our customers.
In some instances we have been required, (thanks to sales), to put modems
on the back of our equipment.
At which point we ensure that the modem is not powered up, nor connected to
the analogue line all the time.
If we have a support issue we call a contact at the site who switches the
modem on and connects it to the
phone line.  One ingenious company put the modem on a 2 hour timer switch,
they push the button, we have
2 hours to fix the problem before the modem looses power.






David Morrison <dmarriso () spacestar net> on 28/04/99 02:36:52 PM

Please respond to David Morrison <dmarriso () spacestar net>

To:   Matthew_S_Cramer () armstrong com
cc:   firewall-wizards () nfr net, darrenr () reed wattle id au (bcc: Andrew
      Bernoth/AdvInt/Advantra)
Subject:  Re: Outsourcing.




My suggestion is that you get to know the individuals which are being
hired.




Matthew_S_Cramer () armstrong com wrote:

> darrenr () reed wattle id au wrote:
>
> > Have others here had dealings with outsourcing companies and managed to
get
> > them to act responsibly with regard to protecting the integrity of their
> > clients' networks or have any stories about such a setup being exploited
?
> > (names need not be mentioned).
>
> We currently have an outsourced firewall solution (*gasp* *groan*).  I am
not
> going to name any company names but they are a huge ISP (global).  This
> situation arose because no one here had a clue about internet security
(before I
> came...blah blah).  Overall it hasn't been terrible, but I have the
following
> problems:
>
>    Lack of technical skill of the ISP / firewall manager.  Even though
they are
> huge they still have clueless people in the NOC.  One example that comes
to mind
> is one we experienced last year - we were getting piss-poor performance
of our
> proxy server during normal business hours.  My theory - Pentium 90 BSDi
box is
> too small to handle the load - it should be replaced.  Outsource
company's
> theory - we had our DNS (we have split DNS) misconfigured.  After 6 weeks
the
> outsourcing company concluded that the Pentium should be replaced by an
> ultraSparc.  Voila!  Problem resolved.  *grrrrr*
>
>    Lack of information for us.  We can't even touch the keyboard on the
> firewall, let alone get a shell.  Even though I intuitively diagnosed the
> problem above it would have been easier to prove to the ISP / outsourcing
> company I was correct if I had access to the machine.
>
>    Backdoors on the firwall - the ISP has a modem on the firewall!!!!
>
> Overall, I think this is a good option for companies that have low
cluefulness
> amongst their employees, or can't give 24/7 attention to a firewall using
only
> internal employees.  But there are some security risks - namely you can't
see
> what they are doing and there are reasons to be worried about
incompetence.
> We will soon be switching to a more pleasant agreement with a ISP /
firewall
> service vendor.  In this agreement they will "own" the hardware and the
OS and
> be responsible for patching and replacing busted kit - but the firewall
software
> / rulesets / configuration will only be controlled by internal staff.
Getting
> this compromise was the conclusion of over a year of campaigning by me
(I've
> only worked here a year and a half).
>
> Matt
>
> Disclaimer: The above represents only my personal comments and does not
> represent an official position of Armstrong World Industries concerning
> companies with whom we do business.