Firewall Wizards mailing list archives
Re: Managed Security Metrics
From: "shawn . moyer" <shawn () net-connect net>
Date: Mon, 05 Mar 2001 14:58:38 -0600
Mike Smith wrote:
What security metrics should I be looking for in a service level agreement from a managed security service provider? Traditional service level agreements cover things like performance (throughput) and availability. If I have an outsourcer manage my firewall, what kinds of service targets should I insist on?
Well, I think some of the standard SLA-type stuff still applies like uptime, response time to outages and change requests, etc. -- all of these are just as relevant if not more so when outsourcing FW / IDS / VPN management. I'd wager the biggest additional point of contention would be attack response... For example, what metric is used to determine if an attack is in progress? How is the response handled and how quickly? Who is notified, what countermeasures are taken, etc.? This gets pretty hairy to define. Offhand I'd consider any suspicious activity that hits more than some arbitrary number of IP's to be a warning shot; for example if I saw someone scanning my network for the rpc.statd vulnerability and saw more than, say, five IP's hit in sequence I'd consider this worthy of investigation, and if I were paying someone to manage my security I'd expect them to agree, although on a very busy network with a lot of suspicious traffic you have to pick your battles a bit. I'd want to verify that whoever I was going with a Security MSP shared my own philosophy on what is worthy and what is not worthy of reporting and logging. Another service I'd expect from a Security MSP would be more advanced trend analysis -- I'd expect a monthly report of the overall percentage of anomalous traffic in relation to "good" traffic (again, a tough thing to define), and I'd want to know whether the trend was toward an increase or a decrease. I'd also expect a Security MSP to be able to track and locate "problem" IP's and networks -- this brings up the old problem of an attacker that might be profiling a network over a long period of time, generating only a few "low priority" alarms -- when viewed from a trend analysis standpoint this traffic is malicious, but from a "daily" or "monthly" standpoint this traffic might not be relevant. I'd expect my logs to be stored and added to a trending database for at least 12 months. I'd also look for a *wide* range of supported tools and platforms... No sense getting married to a dead-end platform if you can help it. I'd expect (without getting into firewall / IDS wars) at least Gauntlet, Raptor, Checkpoint, PIX, Netscreen, and IPF support from the firewall / VPN side, and NFR, Netranger, RealSecure, Dragon, and Snort support on the IDS side. --shawn -- s h a w n m o y e r shawn () net-connect net Man will occasionally stumble over the truth, but most of the time he will pick himself up and continue on. -- Churchill _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Managed Security Metrics Mike Smith (Mar 05)
- Re: Managed Security Metrics R. DuFresne (Mar 05)
- Re: Managed Security Metrics shawn . moyer (Mar 05)
- Re: Managed Security Metrics R. DuFresne (Mar 06)
- Message not available
- Re: Managed Security Metrics Marcus J. Ranum (Mar 06)
- IP Spoofing and counter measures Tib (Mar 09)
- Re: IP Spoofing and counter measures Ryan Russell (Mar 11)
- <Possible follow-ups>
- RE: Managed Security Metrics Bob . Eichler (Mar 05)
- RE: Managed Security Metrics Mike Smith (Mar 05)
- Re: Managed Security Metrics Adam Shostack (Mar 06)
- RE: Managed Security Metrics R. DuFresne (Mar 06)
- Re: Managed Security Metrics shawn . moyer (Mar 06)
- RE: Managed Security Metrics Mike Smith (Mar 06)