http://www.data.com/issue/990307/firewalls.html March 1999 By Joanna Makris Firewall Services: More Bark Than Bite Simplicity? Yes. Savings? Probably. What providers of managed firewall services won't mention are the problems. It was hilarious. We captured 267 customers in two days, and they had no clue what was going on." Meet Dr. Mudge, a white-hat hacker at L0pht Heavy Industries (Boston) whose idea of a joke should make customers of managed firewall services very nervous. He says he seized control of the entire NOC (network operations center) of an ISP that offers such a service-and was able to assume each customer's identity, view all their information, and make any changes he wanted. If that's what the good guys are doing, imagine what the hackers in black are up to. Managed firewall services are supposed to be the new weapon in the battle of the breach: Providers take on all of the notoriously difficult firewall tasks, from policy planning, installation, and configuration to software licensing, encryption, and maintenance. But in sparing customers the agony and expenses of ownership, they're also exposing them to harm. Fact is, providers face the same problem customers do: a shortage of security skills. "Look behind the scenes, and you'll find that service providers don't have real security expertise," says Mark Teicher, security consultant for Predictive Systems Inc. (New York). He should know: He was a senior security engineer for Site Patrol, a managed security service from GTE Internetworking (Cambridge, Mass.), which he left "because I worked with a group that didn't know what Unix was." Scary stuff? No doubt. But companies short on the smarts themselves might have little choice. "Not only do we lack the internal firewall and security talent," says Len Carella, director of information technology at Newsweek Inc. (New York). "But we also don't have the staff to sit there and monitor everything on a 24 x 7 basis." Carella ended up choosing Pilot Network Services Inc. (Alameda, Calif.) to secure Internet access, but only after taking some steps that other corporate networkers who opt to outsource would be wise to follow. First, get set on the number of NOCs. Second, find out whether the service is network-independent: Will the carrier manage a firewall that's connected to another carrier's network service? Then look at the hardware; assess which firewall products are in use and whether they're packet-filtering or proxy devices. Also find out where the firewall is installed; it's either going to be in the NOC or on the customer premises, and the location could affect how well it works. After that, pore over procedures: How fast does the provider perform policy changes, and how should customers inform it about modifications? How quickly does it report on network attacks? What does it do when there's a break-in? And does it manually scan event logs for suspicious activity? Also assess the encryption and authentication schemes. And follow the fine print: Providers may say they're committed to customer service, but unless it's spelled out in the SLA (service-level agreement) they don't have to answer to anyone. [LINK] INTERACTIVE QUESTIONNAIRE Defense Spending Finally, get a fix on price. Managed firewall services are supposed to save money-but little extras like maintenance and audits have a way of adding up. To help net managers make sure they're getting the best deal, we've devised a worksheet they can use to pin down the precise costs and the payback period (see "Defense Spending"). The Big Queasy Information online equals information at risk. Just look at the numbers: A full 60 percent of Fortune 1,000 companies reported security breaks last year, according to the FBI and the Computer Security Institute Inc. (San Francisco). And the damage amounted to a cool $2.8 million per attack. Net managers who want to avoid that kind of trouble can get some firewall help from at least 12 providers now plying the trade (see Table 1). The roster includes such big names as AT&T Co. (Basking Ridge, N.J.), Infonet Services Corp. (El Segundo, Calif.), MCI Worldcom Inc. (Jackson, Miss.), and Sprint Corp. (Kansas City, Mo.). But it's precisely the size of the providers that makes some people nervous. "The carriers are huge," says Robert Thibodeaux, networks systems administrator at electromechanical product manufacturer Eldec Corp. (Lynnwood, Wash.), explaining why he won't sign up for these services. "Even if their best technical person is more astute than my best person, by the time the job gets passed down, you're getting managed by some kid fresh out of college that's looking at alarms on a screen. And if they can't tell me when my frame relay circuit is down, how can they tell me if I'm hacked?" Dr. Mudge concurs. "These companies are hiring summer interns to sit behind a desk and look at logs," he says. "If you think about it, why would a real security expert want to be a desk jockey and look at logs and flashing lights?" Carriers also cite a lack of expertise-but on the part of customers. And they're using it as justification for not tailoring their services to specific requests. "These services are really out of the can," says Cameron Gregg, global service offering manager for managed firewall services at IBM Global Services (Armonk, N.Y.). "Customers are in the early stages of their security awareness, so right now we're not providing customization on an individual basis." In other words, corporate networkers might simply have to go with what they're given. To Have and Have Not Then again, what they're given might be more than what they've got. The Gartner Group (Stamford, Conn.), a consultancy, says that large companies have the resources to dedicate three employees to setting up firewalls and security policies, employees who can command salaries of up to $120,000. But smaller companies don't. "Most businesses don't have the technical manpower to devote an entire day to firewall installation," says Jason Agagnier, senior network engineer at Microcosm Computer Resources Inc. (MCR, San Francisco), a network security consultancy. "Their technicians have issues besides security to deal with." That doesn't just put a strain on manpower. It also makes the network more vulnerable. "Since most companies aren't up on the latest operating systems and equipment, they're prone to stick with default configurations, the exploits of which are already known to hackers," Agagnier says. In other words, managed firewall services-for all their faults-might simply make sense for many organizations. [snip.. original article is four pages] -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:20:41 PDT