RE: Firewall Administration

[Steve Kruse <jsk347 () worldnet att net>]

At 11:37 PM 10/7/97 +0000, Larry J. Hughes Jr. wrote:

> Adam Shostack <adam () homeport org> writes:
>
> > So what should a small company do?  They don't have the skill in
> > house; probably can't find someone good to bring in as a consultant or
> > staff member, since the big players pay more.  So, should they not buy
> > a FW when connecting to the internet?  Even a badly done screening
> > router offers some protection.  (It also offers overmuch peace of
> > mind; but a good fitness for purpose warranty might fix that.)
>
> I joined the list mid-stream, so hopefully my $0.02 isn't redundant.  
>
> We have to address this all the time with our customers, which range from
> the very small to the very large.  (We are a good-sized regional ISP.) 
> The general case of simply setting up a full-fledged firewall for a small-
> to medium-sized business is very rarely a good idea, because after the
> setup they still aren't security savvy -- so they may later end up worse
> off than just having some basic packet filtering in the router.
>
> Our solution was to invent several levels of managed firewall service,
> which scale in features (hence cost) according to the customer's purse. 
> The variance in features has more to do with value-add and incident
> handling priority than it does with overall quality of service.
>
> The downside is, yes, it costs them some money.  The upside is it costs
> them only a fraction of what it does to hire a single security expert. 
> They also inherit the windfall of not having to worry about a single
> in-house security guru leaving for greener pastures, which happens too
> often in this business.
>
> ---
> Larry J. Hughes Jr.    larry () nwnet net     http://www.nwnet.net/~larry/

Another $.02 worth but ...  For small companies I agree that a managed
firewall service from their ISP is probably a good answer SO LONG AS you
spend the time to help them develop security policies and train their users
as to the things they can do to minimize damages.  For "medium" size
companies (just what IS a medium size, anyway?) however there may be more
at stake.  

My personal problem, were I to be the IS manager of a 'medium' sized
company with more resources than a "small" company is:  HOW DO I KNOW I CAN
TRUST THE FIREWALL MANAGER(s)?  (nothing personal to you here!!!)  If I
totally relinquish control of my network-->internet security, what
assurance do I have that a rogue employee of the ISP isn't diddling with my
net?  What about an employee that needs money so they sell off the keys to
the kingdom of 10 or 20 or 30 companies to someone?  Does the ISP bond
every employee who can touch that firewall, and is there a mechanism to
ensure MY damages will be compensated if this occurs?  

The value of my information vs. the cost of a security consultant whom I
can choose, bond and control may be a small price to pay in the long run.  

Ok..so maybe it's only $.01 worth.  But...something to think about.

Flames ignored...comments welcome!

*****************************************************
* Steve Kruse               Milkyway Networks       *
* Network Systems Engineer  1342 E. Vine St. #224   *
* 407-847-8977 Voice        Kissimmee, FL 34744     *
* 407-847-7203 Fax          http://www.milkyway.com *
*****************************************************