Choosing A Managed Security Provider? - Slashdot

Follow Slashdot stories on Twitter

×

Choosing A Managed Security Provider? 10

Posted by Cliff on Tuesday February 13, 2001 @07:02AM from the evaluating-services-you-depend-on dept.

Gothmolly asks: "There are a growing number of Managed Security Providers (MSP) out there. Basically, these guys drop a firewall in your company, then manage it remotely. Defendnet also offers VPN and (I hear) in-line Anti-Virus solutions. Places like MyCIO and ISS basically do the same thing. How does one evaluate the capabilities of a Managed Security Provider?"

This discussion has been archived. No new comments can be posted.

Choosing A Managed Security Provider?

Load All Comments

Search 10 Comments Log In/Create an Account

Comments Filter:

what to do (Score:1)

by Cheeze ( 12756 ) writes:

if i were looking to buy a managed firewall that was administrated by someone else, here is what i would do:

1. check out their demo products.
2. have them set up an exact demo of what you are looking for
3. nmap the whole range of ip addresses they use for your demo
4. if you get back ANY responses, they probably didn't do too good of a job.
5. last and not least, get some kind of service level agreement that includes something like a 6 month or a year guarantee against the firewall being penetrated and a recoup (even partial) of costs if they fail.

i wouldn't buy from anyone that was trying to implement a PC based solution. if they don't have professional hardware, they aren't professional. look for something that can do multiple things (firewall, dhcp, natting, vpn).

i would also check their response time in the event of a failure. each minute you're down, is a minute worth of lost sales.
Re:Seems a little sketchy (Score:1)

by schon ( 31600 ) writes:

To start, I work for a company that does this - it's not our primary focus, but it's something we do for some of our clients.

relying on them for the defense itself... I don't know about that.

This is a good attitude to have, but it misses one important fact - that not everybody knows how to secure a network (or even how to find out if they're secure or not.) You seem to know something about security, so you'd probably not be someone who needs this sort of thing.

This is especially true of firewalls--all too often you see someone just drop one in and assume that they're now safe from harm.

Yup - this is the biggest problem I encounter - in fact, some of our bigger clients clients called us because they did exactly this, and then got hacked. They need someone who can provide experience and knowledge, not just hardware.

first I make sure everything is locked down tightly enough that it doesn't need the firewall, then I put the firewall in.

Again, a very good mindset - but what if you can't lock it down? Take for example, someone who does web design & hosting - using IIS.. it's been my experience that this is something that _can't_ be locked down - there are just too many exploits waiting to happen..

In the IIS example, a firewall (a _real_ firewall, not a packet filter) is the best way to provide security - by setting up a secure reverse-web proxy, and filtering the connection streams at the application level. By having the proxy provide some basic filters (block any inbound request that contains the string 'cmd.exe', for example) you can provide protection against exploits before they happen. It's not fool-prof, but it goes a long way towards securing a system.
Counterpane? (Score:1)

by milgram ( 104453 ) writes:

It would be my guess...
Re:Seems a little sketchy (Score:1)

by ScuzzMonkey ( 208981 ) writes:

I sort of semi-agree with you; admittedly, not everyone is going to be able to secure a network. However, my opinion is that about half of security (maybe more) is in the mindset you have when you approach systems design and upkeep--and mindset is not really something you can hire out. Still, I suppose that there is a market for it and it's probably better than nothing, provided you can avoid leaving the client with the "Oh, we paid somebody to do that, we're all secure now" attitude.

As far as IIS goes, I've had reasonably good luck using Microsoft's checklists to lock it down after installing it on a box that's already been secured. The biggest problem with IIS, IMHO, is not really IIS, but ASP, and the fact that most ASP coders wouldn't recognize a security hole in their code if it bit them in the ass. Rigorous code auditing is really the only way around that, although I can certainly appreciate the value in having a good reverse proxy in front of the box. Personally, I never have a web server within a couple of defense rings of anything really important, anyway.
Seems a little sketchy (Score:1)

by ScuzzMonkey ( 208981 ) writes:

I think that security would be about the last thing that I would be wanting to outsource. I might use outside agencies to do annual audits or penetration testing, because they'll think of ways around my defenses that I hadn't thought of, but relying on them for the defense itself... I don't know about that.

Maybe I'm just paranoid, but it seems to me that if you don't know, yourself, the details of your security, then your site is not secure. This is especially true of firewalls--all too often you see someone just drop one in and assume that they're now safe from harm. A firewall is absolutely the last thing I implement in site defense--first I make sure everything is locked down tightly enough that it doesn't need the firewall, then I put the firewall in. Anyone or any company who is trying to sell you on "Yeah, just install our product, you'll be perfectly safe, don't worry about it..." is doing you a dis-service. It's worse than having nothing to put something like this in and then ignore it--false sense of security.

Now, maybe if you've already locked everything down and just want someone to handle the maintenance, these services might be okay. But there's gotta be a hole somewhere for them to get in to administer the thing... so really, you just opened up a new vulnerability in your network when you hire them.
You are outsourcing the evaluation .. (Score:1)

by RedLaggedTeut ( 216304 ) writes:

In a way you are outsourcing the evaluation of ways to secure your network to the security services company, so investing a lot of time here is kind of paradox.
You first could check how extensive their defenses are, how good their service is when you need a port opened, whether they do virus scanning, and whether they are confident enough to offer insurance against break-ins with their product.
You also might ask why they use the firewall they do instead of another product. Maybe also check their company background.
--wise man morris
Define your Security Policy first (Score:1)

by cheros ( 223479 ) writes:

You have to first define what you want to protect, and against who. That will determine what your MSP has to provide to make it work for you. An increasing trend for security sensitive companies is to use an MSP as a front-end to their own security - in effect a double shell with different parameters to breach. OTOH, if you're not that worried you could always start with enabling filtering and Network Address Translation (NAT) on your incoming router - which is a cheap way of securing your connection a little bit but gives you zero logging and audit capabilities. First decide what you really want ...
How do we trust them? (Score:1)

by ishrat ( 235467 ) writes:

And what are they charging us. Even though the link looks like an add it doesn't mention the approx costs.
managed security (Score:1)

by chris42 ( 315679 ) writes:

First I would divide your security needs in different sections: network or access security content security Then discribe you need and expectations, then look for matching vendors. I am willing to make a summary of basic needs, please e-mail me specific needs. Here are some: 24/7/365 next business day hardware replacement day/week/monthly logs emergency change requests should be possible Regards, Christoph
Shameless plug (Score:2)

by Raven667 ( 14867 ) writes:

SecurePipe Communications [securepipe.com] does this kind of thing. We provide a managed firewall service, just drop in our box. The firewall [securepipe.com] is maintained remotely from our NOC either over the network or via a POTS dialup. We also provide VPN's between firewalls and VPN's between roaming clients and internal networks, our latest software version also supports IPSec.

As to non-firewall solutions, we offer virtual mail and web hosting as well as managed mail servers with virus scanning. We can also host your DNS zones for you. many of our customers are small businesses, often without any full-time IT staff, which is why we offer such a complete set of non-firewall services.

Best of all we are an all Linux shop, from the Product to our Desktops. Several people in our staff have even contributed to open source projects. We also use OSS for all our core business software and will continue to do so for the forseeable future. Our shop is committed to the spirit of the GPL and will continue to do what we can to better the community.
-- Mark Tinberg Network Security Engineer SecurePipe Communications [securepipe.com]

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

275 commentsAsk Slashdot: Why Should I Be Afraid of Artificial Intelligence?
225 commentsAsk Slashdot: What Are Some Good AI Regulations?
184 commentsSlashdot Asks: Your Favorite 2023-Made Movies and TV Shows?
163 commentsAsk Slashdot: Should Libraries Eliminate Fines for Overdue Books?
150 commentsAsk Slashdot: Can You Roll Your Own Home Router?

Our OS who art in CPU, UNIX be thy name. Thy programs run, thy syscalls done, In kernel as it is in user!