RE: Best practices for outsourcing firewall management

["Melson, Paul" <PMelson () sequoianet com>]

What's the purpose of having an ISP maintain the firewall/router instead of the MSSP?  Or am I misunderstanding your 
intent?  

I see some disadvantages here.  First, if your MSSP is going to perform IDS monitoring, this creates a major delay in 
their ability to respond to an incident by blocking attackers.  Second, many providers that host firewalls don't like 
to share.  That is to say, it's good practice to interface directly and exclusively with the customer in order to 
authenticate any changes and make sure that they are what the customer wants.  A large MSSP is going to have a breadth 
of staff that can handle customer change requests, which is a good thing, but means that the provider that implements 
changes on the gateway will need a lousy security policy, which is a bad thing.

Third, and this comes from my own personal bias, most telco/ISP shops have such lousy security I wouldn't trust them 
further than I can throw them.  If it were me, not only would I not want them implementing changes on a customer 
firewall, I wouldn't want them to manage the border router outside of the firewall, either.  I understand wanting to 
implement checks and balances, but I feel that including an ISP as an integral part of a security services equation is 
less of "defense in depth" and more of "the weakest link."

If you are trying to build in local hw/sw support for the firewall, consider making that part of the SLA when 
evaluating the MSSP.  Even if the firewall is managed in a central location, many MSSPs may have regional integrator 
practices nearby that can get hardware and a skilled engineer to the customer within hours of a failure.  This may have 
the added bonus of being cheaper than your original idea since several of us (MSSPs) include this automatically in our 
managed firewall services.

PaulM

>  -----Original Message-----
> My proposal to them has been along the following lines:
>
> * Internal company managed policy setting, and change control process
> * Outsourced Managed Security Service Provider (e.g. counterpane, IBM Global
> Services, etc)
> * regional Gateway operators (regional telco, other large ISP, etc. NOT the
> same as the MSSP)
>
> The process would be something like:
>
> * division in the company identifies a need for a change to the gateway
> (e.g. allowing a new service, putting a new machine in the gateway
> infrastructure, etc)
> * the MSSP consults on the potential impact that this could have in terms of
> security, (including discussion with the Gateway Operator)
> * the MSSP ultimately instructs the Gateway Operators to perform the
> accepted change.
> * The Gateway operator implements the change.
> * The MSSP reviews the changes made to the infrastructure, to ensure that
> what changed was what was approved.
 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards