RE: Managed Firewall Service - Opinions

["Behm, Jeffrey L." <BehmJL () bvsg com>]

To me, the issue being debated is not who is in control, but who is
responsible if something goes bad. If you (not you, personally, Ron)
think it's the MSSP, well, thanks for playing, but that's not the
way I understand the game.

It is true that the MSSP most likely wouldn't refuse, but they 
certainly should be saying, in writing, "Hey Customer, you know,
if you really want to point that loaded gun at your foot, dance
around while your finger's on the trigger, you know, you might
just shoot yourself in the foot, and that's gonna leave a mark."

The MSSP isn't necessarily any *better* equipped to provide a better
"design" than a skilled security-pro-type employee, but they are way 
better equipped to handle the kind of data being spewed from security
devices, as well as interpreting and cross analyzing to other sites.
Similar to a skilled Systems Admin that can set up and run a web
server off his own DMZ, but typically doesn't have the redundant
connections to the net, and the hardware to provide load balancing,
redundancy, backups, etc. that an ISP/ASP would have readily
available to provide.

> At some point, R. DuFresne spewed:
> Are there known instances from the
> group that have gone the outsourced route whence the MSSP refused to
> impliment a policy change that was requested from authorized personnel
> for the client?  The question might well arise about who is actually
> in control of the managed service...the payee or the payor?

> Ron DuFresne
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards