There are advantages and disadvantages to a managed firewall service. I
won't try to suggest whether to go with one or not, but here are some things
to consider when deciding whether to look for a vendor, and also things to
consider when choosing one:
1. Consider hiring a consultant to help you decide whether you should
outsource or do it internally. Choosing a consultant isn't an easy task, but
many of them post here and know people here, so you can quasi-know them.
Also, hiring a consultant is a lower-cost and less intrusive activity than
hiring an outsource organization. If you don't like the consultant, or don't
like the results, you can pick someone else without changing the way you
manage your firewalls in the meantime.
2. What are your internal processes like? Sometimes outsourcing is a way to
borrow someone else's best practices. You may not be at a level of
organization where you feel you can take on management of firewalls. This
takes into account policies, training (it's possible that an outsource
organization will train their staffs better; I know of several companies
that do not give training their employees the priority they should).
3. What are the reputations of the consultants that you're considering? IBM,
for example, probably has a pretty strong vested interest in not having a
breach under their watch. This is not to say they're going to do the best
job, but, to a certain extent, the consultant you pick is going to be on the
line for your security, and the more important their reputation is to them,
the more they're motivated to do a good job.
4. Who are their other customers? Always get references, and always qualify
the references (ideally, you'd be talking to someone who both really cares
about security and knows what to look for in security).
5. What kind of guarantees -- monetary and otherwise -- can they make?
6. What value-added services can they provide that you cannot? For example,
7x24 monitoring might be something that an outsource company can provide
which a small company cannot. Additional, transition plans are something to
consider. A company with a staff of qualified firewall professionals is
going to have less of an issue with a person leaving than a small company
with one firewall expert. Also, a small IT department may have people
wearing many different hats -- it's a lot easier to get good at something
that you're doing all the time.
7. What's your trust level? There are some organizations that trust their
staffs more than outsiders, but other organizations are the other way
around. Especially if you're in an atmosphere where departments are merging
and new people are coming in who may not be people you interview. At least
with a vendor, you (might) know who you're dealing with.
Just a few thoughts ... I'm sure others have many more. I will eventually
go with item 1 (thanks to everyone who gave me leads on consultants) when I
get time to interview them ...
Jen
----- Original Message -----
From: Magowan, Richard M. (ITS) <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, July 25, 1999 5:41 AM
Subject: Managed Firewall Service
> My company has grown rather quickly through merger activity and I find
> myself having to upgrade my Internet service to include multiple sites. I
do
> not have the staff to properly manage and monitor the firewall environment
> at the remote sites, hell I don't even have the time to properly watch the
> one I've got! Anyway, I am evaluating SAVVIS as our possible new ISP with
> the intent to have them manage the firewall environment for a year or so.
> Checkpoint (Unix) will be the firewall supported. Questions:
> Anybody ever used this kind of service?
> Anybody ever used this service from SAVVIS? Anybody used SAVVIS for ISP.
As
> for FW management, with the Checkpoint console is it practical to manage
the
> remote devices centrally (must be since ISPs all do this - right?). How
> "safe" is managed services. Some will say trust no one but I've got to be
> practical with 15,000 users and 150 sites to manage and management that
> seems to thinks of the firewall in terms of an appliance. Any insight is
> greatly appreciated. Thank You.
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
