Frederick M Avolio wrote:
> Hire a consultant to help you. If you have no time and you have no money,
I think the hardest part about choosing a consultant is finding someone
you trust. I guess you could pay a lot and go through a large company
that has a reputation they'd like to uphold, but even then, it wouldn't
hurt to learn enough about network security to ask them questions to
keep them on their toes.
We've recently been trying to outsource our firewall service. It's been
a hard road, although we're still trying.
We're looking for someone who knows more about security than we do. I
didn't think this would be hard, given that we're not exactly wizards at
security. But lots of the vendors we've talked to sometimes miss a few
security issues, or make bad assumptions about our network. One vendor
assumed we didn't do NAT, or, if we did, we did static NAT only. Odd.
Another came up with a firewall solution that supported port forwarding
but not IP forwarding for NAT. These are not fly-by-night outfits,
either -- one of them was a large security vendor, another was a tier-1
ISP (as in one of the ISPs that other "first-tier" ISPs often brag about
having private peering relationships with). Others have had a hard time
explaining the benefits of one type of firewall over another. Some will
make broad statements like "Proxy firewalls are better because they're
more secure" -- but then flounder when explaining why. And, worse,
completely miss a serious problem with a firewall product -- for
example, in the case of a proxy firewall, that the developer might not
have developed proxies for all of the protocols that we use.
Given this experience, you might ask "Why on earth would anyone want to
oursource corporate firewalls?". The answer is simple: We do not have a
7x24 operation. Moreover, we have so much stuff going on right now it's
hard to dedicate a resource to spend all the time necessary to
investigate new exploits and keep the firewall patched. Even worse is
contigency planning -- what happens if your firewall expert leaves the
department? How expensive is it to replace that person, and how soon
can you do it? This is actually the event that triggered the
outsourcing initiative -- we dedicated someone to the firewall, they
learned all about it, and then they transferred to another department.
Jen
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
