[ISN] Firewall Services: More Bark Than Bite

From: mea culpa (jerichoat_private)
Date: Wed Mar 10 1999 - 22:44:04 PST

  • Next message: mea culpa: "[ISN] New Computer Technology Makes Hacking a Snap"

    March 1999
    By Joanna Makris
    Firewall Services: More Bark Than Bite
    Simplicity? Yes. Savings? Probably. What providers of managed firewall
    services won't mention are the problems. 
    It was hilarious. We captured 267 customers in two days, and they had no
    clue what was going on." 
    Meet Dr. Mudge, a white-hat hacker at L0pht Heavy Industries (Boston)
    whose idea of a joke should make customers of managed firewall services
    very nervous. He says he seized control of the entire NOC (network
    operations center) of an ISP that offers such a service-and was able to
    assume each customer's identity, view all their information, and make any
    changes he wanted. 
    If that's what the good guys are doing, imagine what the hackers in black
    are up to. Managed firewall services are supposed to be the new weapon in
    the battle of the breach: Providers take on all of the notoriously
    difficult firewall tasks, from policy planning, installation, and
    configuration to software licensing, encryption, and maintenance. But in
    sparing customers the agony and expenses of ownership, they're also
    exposing them to harm. Fact is, providers face the same problem customers
    do: a shortage of security skills. "Look behind the scenes, and you'll
    find that service providers don't have real security expertise," says Mark
    Teicher, security consultant for Predictive Systems Inc. (New York). He
    should know: He was a senior security engineer for Site Patrol, a managed
    security service from GTE Internetworking (Cambridge, Mass.), which he
    left "because I worked with a group that didn't know what Unix was." 
    Scary stuff? No doubt. But companies short on the smarts themselves might
    have little choice. "Not only do we lack the internal firewall and
    security talent," says Len Carella, director of information technology at
    Newsweek Inc. (New York). "But we also don't have the staff to sit there
    and monitor everything on a 24 x 7 basis." 
    Carella ended up choosing Pilot Network Services Inc. (Alameda, Calif.) to
    secure Internet access, but only after taking some steps that other
    corporate networkers who opt to outsource would be wise to follow. First,
    get set on the number of NOCs. Second, find out whether the service is
    network-independent: Will the carrier manage a firewall that's connected
    to another carrier's network service? Then look at the hardware; assess
    which firewall products are in use and whether they're packet-filtering or
    proxy devices. Also find out where the firewall is installed; it's either
    going to be in the NOC or on the customer premises, and the location could
    affect how well it works. After that, pore over procedures: How fast does
    the provider perform policy changes, and how should customers inform it
    about modifications? How quickly does it report on network attacks? What
    does it do when there's a break-in? And does it manually scan event logs
    for suspicious activity?  Also assess the encryption and authentication
    schemes. And follow the fine print: Providers may say they're committed to
    customer service, but unless it's spelled out in the SLA (service-level
    agreement) they don't have to answer to anyone. 
    Finally, get a fix on price. Managed firewall services are supposed to
    save money-but little extras like maintenance and audits have a way of
    adding up. To help net managers make sure they're getting the best deal,
    we've devised a worksheet they can use to pin down the precise costs and
    the payback period (see "Defense Spending"). 
    The Big Queasy
    Information online equals information at risk. Just look at the numbers: A
    full 60 percent of Fortune 1,000 companies reported security breaks last
    year, according to the FBI and the Computer Security Institute Inc. (San
    Francisco). And the damage amounted to a cool $2.8 million per attack. 
    Net managers who want to avoid that kind of trouble can get some firewall
    help from at least 12 providers now plying the trade (see Table 1). The
    roster includes such big names as AT&T Co.  (Basking Ridge, N.J.), Infonet
    Services Corp. (El Segundo, Calif.), MCI Worldcom Inc. (Jackson, Miss.),
    and Sprint Corp. (Kansas City, Mo.). 
    But it's precisely the size of the providers that makes some people
    nervous. "The carriers are huge," says Robert Thibodeaux, networks systems
    administrator at electromechanical product manufacturer Eldec Corp.
    (Lynnwood, Wash.), explaining why he won't sign up for these services. 
    "Even if their best technical person is more astute than my best person,
    by the time the job gets passed down, you're getting managed by some kid
    fresh out of college that's looking at alarms on a screen. And if they
    can't tell me when my frame relay circuit is down, how can they tell me if
    I'm hacked?" 
    Dr. Mudge concurs. "These companies are hiring summer interns to sit
    behind a desk and look at logs," he says. "If you think about it, why
    would a real security expert want to be a desk jockey and look at logs and
    flashing lights?" 
    Carriers also cite a lack of expertise-but on the part of customers. And
    they're using it as justification for not tailoring their services to
    specific requests. "These services are really out of the can," says
    Cameron Gregg, global service offering manager for managed firewall
    services at IBM Global Services (Armonk, N.Y.). "Customers are in the
    early stages of their security awareness, so right now we're not providing
    customization on an individual basis." In other words, corporate
    networkers might simply have to go with what they're given. 
    To Have and Have Not
    Then again, what they're given might be more than what they've got. The
    Gartner Group (Stamford, Conn.), a consultancy, says that large companies
    have the resources to dedicate three employees to setting up firewalls and
    security policies, employees who can command salaries of up to $120,000. 
    But smaller companies don't. "Most businesses don't have the technical
    manpower to devote an entire day to firewall installation," says Jason
    Agagnier, senior network engineer at Microcosm Computer Resources Inc.
    (MCR, San Francisco), a network security consultancy. "Their technicians
    have issues besides security to deal with." 
    That doesn't just put a strain on manpower. It also makes the network more
    vulnerable. "Since most companies aren't up on the latest operating
    systems and equipment, they're prone to stick with default configurations,
    the exploits of which are already known to hackers," Agagnier says. 
    In other words, managed firewall services-for all their faults-might
    simply make sense for many organizations. 
    [snip.. original article is four pages]
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:41 PDT