Re: Managed Firewall Service - Opinions

["R. DuFresne" <dufresne () sysinfo com>]

Most MSSP's will put into place the rules that your site asks for.
This seems to mitigate the issue of whom is at fault for a breach based 
upon configuration.  Now they <the MSSP> are 'supposed' to be the
professionals, but, how many will actually caution the client when they
want to make the rulebae turn their firewall into a router, or simply
impliment a rule or two that are not considered 'safe' or secure?


Thanks,

Ron DuFresne

On Thu, 17 Apr 2003, Duncan Sharp wrote:

> "Melson, Paul" wrote:
>
> > To be fair, any security services company with a half-way decent legal department will require some level of 
> > disclaimer like  this in their SLA, or any contract for that matter.  You're asking too much if you want to pay a 
> > vendor $15K-$20K/yr and expect them to pay 10x to 100x that back if there's a security incident.  I can't think of 
> > any industry where a vendor assumes that level of risk.  That doesn't mean you can't still sue them, though, if you 
> > feel their was negligence or incompetence on their part.
>
> Paul;
>
>     I can think of at least two service areas:
>
>         1: Rent-a-guards, where either the guards are bonded or
>             the guard service is insured.
>
>         2: Offsite tape {data,document} storage providers. Where the employees
>             are bonded. Hopefully the company offers insurance as an option.
>
>     It would seem to be prudent to offer some sort of performance penalty in
>     the contract, than to leave the outsourcing company exposed to unlimited
>     damages.
>
>     In other words offer the customer upto 10x the yearly service fee in
>     verified damages.
>
>     One additional item of consideration of inhouse vs. outsource:
>
>         If the inhouse employee(s) fail, I can feel the satisfaction of firing them.
>         This best works for a "at will employee in the US".
>
>         If the outsourcer fails, I can feel the satisfaction of [???? ???? ????].
>
> Yours,
> Duncan Sharp
>
> > >  -----Original Message-----
> > > From:         Jeffery.Gieser () minnesotamutual com@AICNOTES
> > > Sent: Thursday, April 17, 2003 11:39 AM
> > > To:   firewall-wizards () honor icsalabs com
> > > Cc:   Fiamingo, Frank
> > > Subject:      Re: [fw-wiz] Managed Firewall Service - Opinions
> > [...snip...]
> > > 4.  They usually force you to sign an agreement stating they are not
> > > resposible for any security incident at your site even if it results from a
> > > configuration mistake that they made on your firewall.
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () honor icsalabs com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards