Firewall Wizards mailing list archives
RE: Best practices for outsourcing firewall management
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Fri, 25 Apr 2003 16:15:23 -0400
What's the purpose of having an ISP maintain the firewall/router instead of the MSSP? Or am I misunderstanding your intent? I see some disadvantages here. First, if your MSSP is going to perform IDS monitoring, this creates a major delay in their ability to respond to an incident by blocking attackers. Second, many providers that host firewalls don't like to share. That is to say, it's good practice to interface directly and exclusively with the customer in order to authenticate any changes and make sure that they are what the customer wants. A large MSSP is going to have a breadth of staff that can handle customer change requests, which is a good thing, but means that the provider that implements changes on the gateway will need a lousy security policy, which is a bad thing. Third, and this comes from my own personal bias, most telco/ISP shops have such lousy security I wouldn't trust them further than I can throw them. If it were me, not only would I not want them implementing changes on a customer firewall, I wouldn't want them to manage the border router outside of the firewall, either. I understand wanting to implement checks and balances, but I feel that including an ISP as an integral part of a security services equation is less of "defense in depth" and more of "the weakest link." If you are trying to build in local hw/sw support for the firewall, consider making that part of the SLA when evaluating the MSSP. Even if the firewall is managed in a central location, many MSSPs may have regional integrator practices nearby that can get hardware and a skilled engineer to the customer within hours of a failure. This may have the added bonus of being cheaper than your original idea since several of us (MSSPs) include this automatically in our managed firewall services. PaulM
-----Original Message----- My proposal to them has been along the following lines: * Internal company managed policy setting, and change control process * Outsourced Managed Security Service Provider (e.g. counterpane, IBM Global Services, etc) * regional Gateway operators (regional telco, other large ISP, etc. NOT the same as the MSSP) The process would be something like: * division in the company identifies a need for a change to the gateway (e.g. allowing a new service, putting a new machine in the gateway infrastructure, etc) * the MSSP consults on the potential impact that this could have in terms of security, (including discussion with the Gateway Operator) * the MSSP ultimately instructs the Gateway Operators to perform the accepted change. * The Gateway operator implements the change. * The MSSP reviews the changes made to the infrastructure, to ensure that what changed was what was approved.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Best practices for outsourcing firewall management Dawes, Rogan (ZA - Johannesburg) (Apr 25)
- <Possible follow-ups>
- RE: Best practices for outsourcing firewall management Melson, Paul (Apr 26)
- RE: Best practices for outsourcing firewall management Dawes, Rogan (ZA - Johannesburg) (Apr 29)
- RE: Best practices for outsourcing firewall management Melson, Paul (Apr 29)