RE: Outsourcing Firewalls/Internet Security count

[Gary Crumrine <gcrum () us-state gov>]

That is true Joe...but could you explain the root difference between acting 
as a consultant to a government agency, performing essentially the same 
monitoring tasks, designing safe systems etc...AND doing the same as an 
independant or employee of an outsource company...perhaps running a 
monitoring center etc..   There is none.  Oh yes the govvie setup provides 
the equipment and building, perhaps some physical security, and a 
perception that they are under control, but unless the intended stuff is 
classified, and they are not using the REAL Internet as the backbone, what 
is the difference?....   You will run into good people, and bad in both 
cases.

-----Original Message-----
From:   Joseph S. D. Yao [SMTP:jsdy () cospo osis gov]
Sent:   Friday, December 05, 1997 2:42 PM
To:     firewall-wizards () nfr net
Subject:        Re: Outsourcing Firewalls/Internet Security count

I suspect we all currently outsource our telephone services, and think
nothing of it.  Why should we insist on being more private with our
network services?

The relative youth of the technology comes to mind; and that's fair.

But, if you want a REALLY, REALLY private conversation, what do you do?
Get on a cell' 'phone?  Probably not - you probably go to your
respective offices and screw little widgets onto your 'phones, or you
meet in Central Park.  So with networking - let's go with IPsec or its
more secure descendants.

OK, having said that, we know that with people becoming ISP's (soi-
disant) with $10,000 worth of equipment, there's lots of NON-expertise
in keeping things working & secure out there; so there should be some
effort to have security.  But, by the same token, most of the crackers
out there are kids with cookbooks - not the real hacker/crackers that
you have to really worry about.  If you outsource your firewall to
someone with a reasonable clue level, you can probably trust them about
as much as you trust the 'phone company.  Companies.  Whatever.  Then,
if you've got some neat goodies to conceal, encrypt them.  Encrypt your
tunnel.  Do whatever you would over 'phone lines.  But don't make the
moderately clueful take on THAT task as well.

Heck, I've even heard - although I wouldn't swear to it - that some
government installations are considering outsourcing firewalls.  I
haven't heard that any are actually doing it now, though.

Would I do it?  Not bloody likely.  You have to be pretty paranoid to
do network security, and it shows.  I'm just like a lot of you: I hate
to let anything like that out of my hands, because then I'm not
directly controlling it.  But that's also part of the reason why I'd
never go into business for myself (I don't know how Marcus balances
it!): I have trouble balancing business justifications for doing things
less than perfectly.  Intellectually, I'm aware that such reasons
exist.  But it's not a part of my central mental model of the world.

So why am I arguing for out-sourcing?  Because a lot of the arguments
I've read have been pretty much from the point of view of that last
paragraph: pretty much "I wouldn't do it 'cause it's not the perfect
solution."  And it's not.  But sometimes it can be justified, as not
having your own private secure communications network across the world
can be justified, as a less-than-perfect solution for less-than-greatest
needs.

Eh?

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO Computer Support                                          EMT-A/B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.