Firewall Wizards mailing list archives
RE: Best practices for outsourcing firewall management
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Tue, 29 Apr 2003 10:38:57 +0200
The idea is to have the MSSP monitoring what the infrastructure provider is doing, since the client does not have, or want, the expertise to do this themselves. If the MSSP does the changes themselves, it becomes the client's problem to make sure that they are properly implemented, to a certain extent. (Of course, not trusting them to implement them correctly, but trusting them to check that they are done correctly is kind of a contradiction, isn't it?) Are you suggesting that it is a more feasible approach to have the ISP/telco/hosting provider simply responsible for "facilities" (aircon, UPS, bandwidth, backups?, spares for certain hardware (routers, cache-proxies, etc) ), and leave the MSSP to be responsible for managing (implementing and reviewing) security devices such as firewalls, IDS, etc, which would also include being responsible for replacing firewall and ids hardware as necessary? Rogan -----Original Message----- From: PMelson () analysts com [mailto:PMelson () analysts com] Sent: 25 April 2003 10:15 PM To: Dawes, Rogan (ZA - Johannesburg); firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] Best practices for outsourcing firewall management What's the purpose of having an ISP maintain the firewall/router instead of the MSSP? Or am I misunderstanding your intent? I see some disadvantages here. First, if your MSSP is going to perform IDS monitoring, this creates a major delay in their ability to respond to an incident by blocking attackers. Second, many providers that host firewalls don't like to share. That is to say, it's good practice to interface directly and exclusively with the customer in order to authenticate any changes and make sure that they are what the customer wants. A large MSSP is going to have a breadth of staff that can handle customer change requests, which is a good thing, but means that the provider that implements changes on the gateway will need a lousy security policy, which is a bad thing. Third, and this comes from my own personal bias, most telco/ISP shops have such lousy security I wouldn't trust them further than I can throw them. If it were me, not only would I not want them implementing changes on a customer firewall, I wouldn't want them to manage the border router outside of the firewall, either. I understand wanting to implement checks and balances, but I feel that including an ISP as an integral part of a security services equation is less of "defense in depth" and more of "the weakest link." If you are trying to build in local hw/sw support for the firewall, consider making that part of the SLA when evaluating the MSSP. Even if the firewall is managed in a central location, many MSSPs may have regional integrator practices nearby that can get hardware and a skilled engineer to the customer within hours of a failure. This may have the added bonus of being cheaper than your original idea since several of us (MSSPs) include this automatically in our managed firewall services. PaulM
-----Original Message----- My proposal to them has been along the following lines: * Internal company managed policy setting, and change control process * Outsourced Managed Security Service Provider (e.g. counterpane, IBM
Global
Services, etc) * regional Gateway operators (regional telco, other large ISP, etc. NOT
the
same as the MSSP) The process would be something like: * division in the company identifies a need for a change to the gateway (e.g. allowing a new service, putting a new machine in the gateway infrastructure, etc) * the MSSP consults on the potential impact that this could have in terms
of
security, (including discussion with the Gateway Operator) * the MSSP ultimately instructs the Gateway Operators to perform the accepted change. * The Gateway operator implements the change. * The MSSP reviews the changes made to the infrastructure, to ensure that what changed was what was approved.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Best practices for outsourcing firewall management Dawes, Rogan (ZA - Johannesburg) (Apr 25)
- <Possible follow-ups>
- RE: Best practices for outsourcing firewall management Melson, Paul (Apr 26)
- RE: Best practices for outsourcing firewall management Dawes, Rogan (ZA - Johannesburg) (Apr 29)
- RE: Best practices for outsourcing firewall management Melson, Paul (Apr 29)