Firewall Wizards mailing list archives
Re: Outsourcing.
From: David Lang <dlang () diginsite com>
Date: Wed, 28 Apr 1999 19:30:10 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE----- Another answer is to provide strong authentication to the dial-up line. Here at work I have the ability to dial into our routers, but it requres a one-time password to get in. David Lang On Thu, 29 Apr 1999 Andrew_Bernoth () advantra com au wrote:
Date: Thu, 29 Apr 1999 09:37:41 +1000 From: Andrew_Bernoth () advantra com au To: David Morrison <dmarriso () spacestar net> Cc: Matthew_S_Cramer () armstrong com, firewall-wizards () nfr net,
darrenr () reed wattle id au
Subject: Re: Outsourcing. Hi, I currently work for an outsourcing company. We do look after a number of firewalls for our customers. In some instances we have been required, (thanks to sales), to put modems on the back of our equipment. At which point we ensure that the modem is not powered up, nor connected to the analogue line all the time. If we have a support issue we call a contact at the site who switches the modem on and connects it to the phone line. One ingenious company put the modem on a 2 hour timer switch, they push the button, we have 2 hours to fix the problem before the modem looses power. David Morrison <dmarriso () spacestar net> on 28/04/99 02:36:52 PM Please respond to David Morrison <dmarriso () spacestar net> To: Matthew_S_Cramer () armstrong com cc: firewall-wizards () nfr net, darrenr () reed wattle id au (bcc: Andrew Bernoth/AdvInt/Advantra) Subject: Re: Outsourcing. My suggestion is that you get to know the individuals which are being hired. Matthew_S_Cramer () armstrong com wrote:darrenr () reed wattle id au wrote:Have others here had dealings with outsourcing companies and managed togetthem to act responsibly with regard to protecting the integrity of their clients' networks or have any stories about such a setup being exploited?(names need not be mentioned).We currently have an outsourced firewall solution (*gasp* *groan*). I amnotgoing to name any company names but they are a huge ISP (global). This situation arose because no one here had a clue about internet security(before Icame...blah blah). Overall it hasn't been terrible, but I have thefollowingproblems: Lack of technical skill of the ISP / firewall manager. Even thoughthey arehuge they still have clueless people in the NOC. One example that comesto mindis one we experienced last year - we were getting piss-poor performanceof ourproxy server during normal business hours. My theory - Pentium 90 BSDibox istoo small to handle the load - it should be replaced. Outsourcecompany'stheory - we had our DNS (we have split DNS) misconfigured. After 6 weekstheoutsourcing company concluded that the Pentium should be replaced by an ultraSparc. Voila! Problem resolved. *grrrrr* Lack of information for us. We can't even touch the keyboard on the firewall, let alone get a shell. Even though I intuitively diagnosed the problem above it would have been easier to prove to the ISP / outsourcing company I was correct if I had access to the machine. Backdoors on the firwall - the ISP has a modem on the firewall!!!! Overall, I think this is a good option for companies that have lowcluefulnessamongst their employees, or can't give 24/7 attention to a firewall usingonlyinternal employees. But there are some security risks - namely you can'tseewhat they are doing and there are reasons to be worried aboutincompetence.We will soon be switching to a more pleasant agreement with a ISP /firewallservice vendor. In this agreement they will "own" the hardware and theOS andbe responsible for patching and replacing busted kit - but the firewallsoftware/ rulesets / configuration will only be controlled by internal staff.Gettingthis compromise was the conclusion of over a year of campaigning by me(I'veonly worked here a year and a half). Matt Disclaimer: The above represents only my personal comments and does not represent an official position of Armstrong World Industries concerning companies with whom we do business.
"If users are made to understand that the system administrator's job is to make computers run, and not to make them happy, they can, in fact, be made happy most of the time. If users are allowed to believe that the system administrator's job is to make them happy, they can, in fact, never be made happy." - -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97) -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNyfEND7msCGEppcbAQH42Af/bkVgnz73rrKyS6tkatyMVJL61iikAWgz ZbpCoINRJPxUDwCJ8PBRzN1zAWkmK3zLf8lL/VSKSWu5XYa68Wvbz9pD35i4kD9E aQwGUMycUUrHAlzkbvWPx1474eU/Gg4hsWZGlV+m6fubjthLK/Rkj9BNLCxdfI+3 UJDYvDRl1a0Vm4Kf+kV6qZHDcA5reeVFGNN6rMZEi5RA04zPhHG6jrdXmRBIUj9Q WBv2pHaPmV361vRW6PVbJlwVOrHlXBAb3tE/M3jlnjwPIY24gTLH+bnxkd4/r1VC LL6bYj5MFFZRnKHtWaBX/v5vp+GLxr7vaj+2VxEgomK5EfIT6OVrVw== =fI8T -----END PGP SIGNATURE-----
Current thread:
- Outsourcing. Darren Reed (Apr 19)
- <Possible follow-ups>
- Re: Outsourcing. Matthew_S_Cramer (Apr 20)
- Re: Outsourcing. Darren Reed (Apr 21)
- Re: Outsourcing. David Morrison (Apr 28)
- RE: Outsourcing. James Vaughn (Apr 20)
- Re: Outsourcing. Andrew_Bernoth (Apr 28)
- Re: Outsourcing. David Lang (Apr 29)