Another good thing to do is a bi- annual firewall review, line by line, to make sure the rules are as you intend and reflect your current needs. Also to make sure you are running the most current version of code.
Since they are managing the device for you, I consider it fair game to ask for their recommendations after they review your configs every so often. In theory, their collective knowledge will be valuable. All of this will give them the opportunity to re-earn your business by having the prove their value to your business. Russell On Feb 12, 2011, at 12:13 PM, John Strand <[email protected]> wrote: > I would also recommend that you periodically "test" them. > > Something as simple as a remote Nessus scan, or a outbound clear text shell. > > See if they catch it. > > If they do not, be sure to give them hell. > > John > > On Fri, Feb 11, 2011 at 8:31 PM, Jack Daniel <[email protected]> wrote: > Like most things, "it depends". As Josh said, if the outsourced > vendor does a great job, it can be very good. Big honking "if" there, > though. > > A few questions off the top of my head: > What are the SLAs, and how are they enforced? > How long does it take to get changes applied? > Do you retain ownership of the hardware on premises? > Do you "own" the configs, or can they flatten the box when terminated? > Do you have audit rights to the systems? > What kind of reporting and documentation do they offer? > Do they guarantee configurations compliant with your regulatory requirements? > What about patching/updating, do they provide a guaranteed update > window after patches/fixes are released? > Is it all in writing? > > Jack > > > On Fri, Feb 11, 2011 at 7:12 PM, Matthew Perry <[email protected]> wrote: > > All, > > > > We have been acquired by another company that is use to outsourcing > > their management and monitoring of firewalls to another company. I > > have always been against this especially since they would have the > > keys for any point to point connections. How does everyone else in > > the pauldotcom community feel about this and is it a standard > > practice? > > > > -- > > Matthew Perry > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > > > -- > ______________________________________ > Jack Daniel, Reluctant CISSP > http://twitter.com/jack_daniel > http://www.linkedin.com/in/jackadaniel > http://blog.uncommonsensesecurity.com > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > -- > John Strand > Office: (605) 550-0742 > Cell: (303) 710-1171 > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
