Firewall Wizards mailing list archives
Re: Outsourcing.
From: Andrew_Bernoth () advantra com au
Date: Thu, 29 Apr 1999 09:37:41 +1000
Hi, I currently work for an outsourcing company. We do look after a number of firewalls for our customers. In some instances we have been required, (thanks to sales), to put modems on the back of our equipment. At which point we ensure that the modem is not powered up, nor connected to the analogue line all the time. If we have a support issue we call a contact at the site who switches the modem on and connects it to the phone line. One ingenious company put the modem on a 2 hour timer switch, they push the button, we have 2 hours to fix the problem before the modem looses power. David Morrison <dmarriso () spacestar net> on 28/04/99 02:36:52 PM Please respond to David Morrison <dmarriso () spacestar net> To: Matthew_S_Cramer () armstrong com cc: firewall-wizards () nfr net, darrenr () reed wattle id au (bcc: Andrew Bernoth/AdvInt/Advantra) Subject: Re: Outsourcing. My suggestion is that you get to know the individuals which are being hired. Matthew_S_Cramer () armstrong com wrote:
darrenr () reed wattle id au wrote:Have others here had dealings with outsourcing companies and managed to
get
them to act responsibly with regard to protecting the integrity of their clients' networks or have any stories about such a setup being exploited
?
(names need not be mentioned).We currently have an outsourced firewall solution (*gasp* *groan*). I am
not
going to name any company names but they are a huge ISP (global). This situation arose because no one here had a clue about internet security
(before I
came...blah blah). Overall it hasn't been terrible, but I have the
following
problems: Lack of technical skill of the ISP / firewall manager. Even though
they are
huge they still have clueless people in the NOC. One example that comes
to mind
is one we experienced last year - we were getting piss-poor performance
of our
proxy server during normal business hours. My theory - Pentium 90 BSDi
box is
too small to handle the load - it should be replaced. Outsource
company's
theory - we had our DNS (we have split DNS) misconfigured. After 6 weeks
the
outsourcing company concluded that the Pentium should be replaced by an ultraSparc. Voila! Problem resolved. *grrrrr* Lack of information for us. We can't even touch the keyboard on the firewall, let alone get a shell. Even though I intuitively diagnosed the problem above it would have been easier to prove to the ISP / outsourcing company I was correct if I had access to the machine. Backdoors on the firwall - the ISP has a modem on the firewall!!!! Overall, I think this is a good option for companies that have low
cluefulness
amongst their employees, or can't give 24/7 attention to a firewall using
only
internal employees. But there are some security risks - namely you can't
see
what they are doing and there are reasons to be worried about
incompetence.
We will soon be switching to a more pleasant agreement with a ISP /
firewall
service vendor. In this agreement they will "own" the hardware and the
OS and
be responsible for patching and replacing busted kit - but the firewall
software
/ rulesets / configuration will only be controlled by internal staff.
Getting
this compromise was the conclusion of over a year of campaigning by me
(I've
only worked here a year and a half). Matt Disclaimer: The above represents only my personal comments and does not represent an official position of Armstrong World Industries concerning companies with whom we do business.
Current thread:
- Outsourcing. Darren Reed (Apr 19)
- <Possible follow-ups>
- Re: Outsourcing. Matthew_S_Cramer (Apr 20)
- Re: Outsourcing. Darren Reed (Apr 21)
- Re: Outsourcing. David Morrison (Apr 28)
- RE: Outsourcing. James Vaughn (Apr 20)
- Re: Outsourcing. Andrew_Bernoth (Apr 28)
- Re: Outsourcing. David Lang (Apr 29)