-----Original Message----- From: firewalls-request@lists.gnac.net [mailto:firewalls-request@lists.gnac.net] Sent: jeudi 28 juin 2001 01:16 To: firewalls@lists.gnac.net Subject: Firewalls digest, Vol 1 #52 - 9 msgs Send Firewalls mailing list submissions to firewalls@lists.gnac.net To subscribe or unsubscribe via the World Wide Web, visit http://lists.gnac.net/mailman/listinfo/firewalls or, via email, send a message with subject or body 'help' to firewalls-request@lists.gnac.net You can reach the person managing the list at firewalls-admin@lists.gnac.net When replying, please edit your Subject line so it is more specific than "Re: Contents of Firewalls digest..." Today's Topics: 1. Re: Managed Service Providers (Ron DuFresne) 2. Re: Managed Service Providers (mht@clark.net) 3. Re: Managed Service Providers (Zachary Uram) 4. Re: Managed Service Providers (Ron DuFresne) 5. Re: Managed Service Providers (Ron DuFresne) 6. Re: Managed Service Providers (Greg Sheard) 7. RE: Managed Service Providers (Hank Wethington) 8. Research information (Hank Wethington) 9. Re: Managed Service Providers (mht@clark.net) --__--__-- Message: 1 Date: Wed, 27 Jun 2001 16:27:21 -0500 (CDT) From: Ron DuFresne <dufresne@winternet.com> To: mht@clark.net Cc: firewalls@pluto.gnac.com Subject: Re: Managed Service Providers smoke and mirrors has been one of the issues with managed service providers and especially managed security providers for sometime. Just becuase they may sell you a service for IDS does not mean alot if the IDS is setup on the exterior of the network and they are constantly alerting you and your staff of 'intrusion detections' 30-500 times a day. In fact, it tends to devalue such 'warnings' to the point folks tend to just start routing those reports to the trash bin. Thourough reading of contracts in such outsourcing aggreements is a must, as well as *understanding* what those contracts are really saying. Thanks, Ron DuFresne On Wed, 27 Jun 2001 mht@clark.net wrote: > Biased is ok. How does one go about validating that a managed service > provider stuff is actually working? > Is there some sort litmus test procedure that the customer has to sign off > signifying that the manage service provider selected is actually receiving > and responding to valid intrusions? > How long is the tuning process to adjust to particular customer's environment > How long is the provisioning process from signed contract to actual turning > up the customer and handing them over to ops or monitoring? > What type of people are actually doing the monitoring (certified and > trained security experts) or (people off the street and then becoming a > human IDS)?? > > DigitalMojo does not state how they do this except a bunch of smoke and > mirrors about ShadowPatrol or ShadowWatch, playing off the them of "Only > the Shadow Knows".. There has to be more to managed security services than > this ?? > > /m > > _______________________________________________ > Firewalls mailing list > Firewalls@lists.gnac.net > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. --__--__-- Message: 2 Date: Wed, 27 Jun 2001 14:33:09 -0700 To: Ron DuFresne <dufresne@winternet.com> From: mht@clark.net Subject: Re: Managed Service Providers Cc: firewalls@pluto.gnac.com Smoke and mirrors has been an issue with Managed Security Service since the early 90's. also Buyer beware. How do you the person sitting back watching the screens is actually a bonafide security type person and not some person who got hired because they should up at DefCon and impressed someone with their Pez collection (true story).. :) A lot of the debunking is not the actual alert but really happens behind the scenes to determine if one or many alerts are actually valid or not. Each environment can generate their own typical noise or discard that normally traverses the network on a daily basis. It is the MSP's job to sort through the noice or discard and actually call the customer to tell them that their is an actual intrusion or possible intrusion. Now this whole process seems a bit tedius and the folks at ADT can probably provide better statistics on false positives than an a MSP can, but back to the point, what value does an MSP like DigitalMojo provide when if you read between the lines, they actually outsource to other MSPs.. /m At 04:27 PM 6/27/2001 -0500, Ron DuFresne wrote: >smoke and mirrors has been one of the issues with managed service >providers and especially managed security providers for sometime. Just >becuase they may sell you a service for IDS does not mean alot if the IDS >is setup on the exterior of the network and they are constantly alerting >you and your staff of 'intrusion detections' 30-500 times a day. In fact, >it tends to devalue such 'warnings' to the point folks tend to just start >routing those reports to the trash bin. Thourough reading of contracts in >such outsourcing aggreements is a must, as well as *understanding* what >those contracts are really saying. > >Thanks, > >Ron DuFresne --__--__-- Message: 3 Date: Wed, 27 Jun 2001 17:58:35 -0400 (EDT) From: Zachary Uram <zu22@andrew.cmu.edu> To: mht@clark.net Cc: Ron DuFresne <dufresne@winternet.com>, firewalls@pluto.gnac.com Subject: Re: Managed Service Providers i don't understand what someone would rely on an outsider to manage their security structure? it seems this is best handled on the inside (with firewalls, IDS, etc..). and if you are just one of many customers won't you get less intense/frequent scrutiny than if you had your own dedicated security staff person whose job is to manage your network security? Wed, 27 Jun 2001 mht@clark.net wrote: > Smoke and mirrors has been an issue with Managed Security Service since the > early 90's. also Buyer beware. How do you the person sitting back > watching the screens is actually a bonafide security type person and not > some person who got hired because they should up at DefCon and impressed > someone with their Pez collection (true story).. :) A lot of the debunking > is not the actual alert but really happens behind the scenes to determine > if one or many alerts are actually valid or not. Each environment can > generate their own typical noise or discard that normally traverses the > network on a daily basis. It is the MSP's job to sort through the noice or > discard and actually call the customer to tell them that their is an actual > intrusion or possible intrusion. Now this whole process seems a bit tedius > and the folks at ADT can probably provide better statistics on false > positives than an a MSP can, but back to the point, what value does an MSP > like DigitalMojo provide when if you read between the lines, they actually > outsource to other MSPs.. > > /m > > At 04:27 PM 6/27/2001 -0500, Ron DuFresne wrote: > > >smoke and mirrors has been one of the issues with managed service > >providers and especially managed security providers for sometime. Just > >becuase they may sell you a service for IDS does not mean alot if the IDS > >is setup on the exterior of the network and they are constantly alerting > >you and your staff of 'intrusion detections' 30-500 times a day. In fact, > >it tends to devalue such 'warnings' to the point folks tend to just start > >routing those reports to the trash bin. Thourough reading of contracts in > >such outsourcing aggreements is a must, as well as *understanding* what > >those contracts are really saying. > > > >Thanks, > > > >Ron DuFresne > > _______________________________________________ > Firewalls mailing list > Firewalls@lists.gnac.net > http://lists.gnac.net/mailman/listinfo/firewalls > uram@cmu.edu "Blessed are those who have not seen and yet have faith." - John 20:29 --__--__-- Message: 4 Date: Wed, 27 Jun 2001 17:09:01 -0500 (CDT) From: Ron DuFresne <dufresne@winternet.com> To: mht@clark.net Cc: firewalls@pluto.gnac.com Subject: Re: Managed Service Providers <quote> A lot of the debunking is not the actual alert but really happens behind the scenes to determine if one or many alerts are actually valid or not. </quote> <chuckle> It can be worse then this, some managed sec providers do nothing to make a determination, they merely have it stated in the paperwork that they will notify the client of *any* attempts, it certainly changes the the focus of what responsibility is in the situation. Now, you tell me, if open, untuned sensors are sitting on the outside perimiter of a large corporation, how many alerts a day might they get of various inappropriate packets hitting those sensors? Take it this way; how is policy enforced and what determines what a policy is? Is the managed security provider to implement rules in perimiter equipment that is outrightly *dangerous* if the client contact makes such a request? Should the tech taking the request actually contact the client contact to advise them of known issues that petain to the request in hand? What actually constitutes a security policy, merely rules set in the perimiter devices? Is it subject to one or two admins at the client site just deciding that these requested changes need to be implimented? It sometimes becomes a question at the managed provider end, of what it is they are supposed to be implimenting. Granted a policy is not a static entity, still to make major deviations from a documented policy, should a managed provider just simply make changes issued from a contact at the client side, should upper level senior mgt be advised of such requests? Then again, since the corporation decided to outsource their security, do they have anyone knowledgeable on their end to actually understand the corporate policy and ramifications of requests they are considering? Outsourcing is not a simple black and white issue, and it has ramifications that need to be faced by both sides in any contractual agreement in these areas. but, it's all defined on paper, or at least should be, before the managed services in question are taken over. Still, I've seen some pretty large corporations poorly define entities and services and end up with quite a mess on their hands after all the dots and slashes were placed and signatures and checks exchnged, in both security outsourcing and network management. On oneside, folks need to know what they can supply and offer as a real service and still make a buck. On the other, folks need to accuratly detail in writing, after verbal negociations, and define what they require, and at a minimum what services they are contracting for. Thanks, Ron DuFresne On Wed, 27 Jun 2001 mht@clark.net wrote: > Smoke and mirrors has been an issue with Managed Security Service since the > early 90's. also Buyer beware. How do you the person sitting back > watching the screens is actually a bonafide security type person and not > some person who got hired because they should up at DefCon and impressed > someone with their Pez collection (true story).. :) A lot of the debunking > is not the actual alert but really happens behind the scenes to determine > if one or many alerts are actually valid or not. Each environment can > generate their own typical noise or discard that normally traverses the > network on a daily basis. It is the MSP's job to sort through the noice or > discard and actually call the customer to tell them that their is an actual > intrusion or possible intrusion. Now this whole process seems a bit tedius > and the folks at ADT can probably provide better statistics on false > positives than an a MSP can, but back to the point, what value does an MSP > like DigitalMojo provide when if you read between the lines, they actually > outsource to other MSPs.. > > /m > > At 04:27 PM 6/27/2001 -0500, Ron DuFresne wrote: > > >smoke and mirrors has been one of the issues with managed service > >providers and especially managed security providers for sometime. Just > >becuase they may sell you a service for IDS does not mean alot if the IDS > >is setup on the exterior of the network and they are constantly alerting > >you and your staff of 'intrusion detections' 30-500 times a day. In fact, > >it tends to devalue such 'warnings' to the point folks tend to just start > >routing those reports to the trash bin. Thourough reading of contracts in > >such outsourcing aggreements is a must, as well as *understanding* what > >those contracts are really saying. > > > >Thanks, > > > >Ron DuFresne > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. --__--__-- Message: 5 Date: Wed, 27 Jun 2001 17:21:10 -0500 (CDT) From: Ron DuFresne <dufresne@winternet.com> To: Zachary Uram <zu22@andrew.cmu.edu> Cc: mht@clark.net, firewalls@pluto.gnac.com Subject: Re: Managed Service Providers On Wed, 27 Jun 2001, Zachary Uram wrote: > i don't understand what someone would rely on an outsider to > manage their security structure? > it seems this is best handled on the inside (with firewalls, IDS, > etc..). and if you are just one of many customers won't you get > less intense/frequent scrutiny than if you had your own dedicated > security staff person whose job is to manage your network > security? This is the pipedream of all with a network exposure, but, there are issues that limit this to reality; 1) there are just not enough security professionals to go around, though I'm betting some companies could make out like bandits during this *regression* in the IT field in general as it concerns the job market at present. 2) Perhaps even more importantly in a total picture perspective; companies with networks be they attached to the internet or not, actually find themselve as being two compnaies combined, the one company being the bread maker, the business of which they conduct and the products and or services they provide, and the second company, often a money sucker rather then a money maker, the IT division. Sometimes those two companies within are even at opposition to one another! <grin> Thanks, Ron DuFresne > > Wed, 27 Jun 2001 mht@clark.net wrote: > > > Smoke and mirrors has been an issue with Managed Security Service since the > > early 90's. also Buyer beware. How do you the person sitting back > > watching the screens is actually a bonafide security type person and not > > some person who got hired because they should up at DefCon and impressed > > someone with their Pez collection (true story).. :) A lot of the debunking > > is not the actual alert but really happens behind the scenes to determine > > if one or many alerts are actually valid or not. Each environment can > > generate their own typical noise or discard that normally traverses the > > network on a daily basis. It is the MSP's job to sort through the noice or > > discard and actually call the customer to tell them that their is an actual > > intrusion or possible intrusion. Now this whole process seems a bit tedius > > and the folks at ADT can probably provide better statistics on false > > positives than an a MSP can, but back to the point, what value does an MSP > > like DigitalMojo provide when if you read between the lines, they actually > > outsource to other MSPs.. > > > > /m > > > > At 04:27 PM 6/27/2001 -0500, Ron DuFresne wrote: > > > > >smoke and mirrors has been one of the issues with managed service > > >providers and especially managed security providers for sometime. Just > > >becuase they may sell you a service for IDS does not mean alot if the IDS > > >is setup on the exterior of the network and they are constantly alerting > > >you and your staff of 'intrusion detections' 30-500 times a day. In fact, > > >it tends to devalue such 'warnings' to the point folks tend to just start > > >routing those reports to the trash bin. Thourough reading of contracts in > > >such outsourcing aggreements is a must, as well as *understanding* what > > >those contracts are really saying. > > > > > >Thanks, > > > > > >Ron DuFresne > > > > _______________________________________________ > > Firewalls mailing list > > Firewalls@lists.gnac.net > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > uram@cmu.edu > "Blessed are those who have not seen and yet have faith." - John 20:29 > > _______________________________________________ > Firewalls mailing list > Firewalls@lists.gnac.net > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. --__--__-- Message: 6 From: "Greg Sheard" <greg@ecsc.co.uk> To: "Zachary Uram" <zu22@andrew.cmu.edu> Cc: "Ron DuFresne" <dufresne@winternet.com>, <firewalls@pluto.gnac.com>, <mht@clark.net> Subject: Re: Managed Service Providers Date: Wed, 27 Jun 2001 23:24:15 +0100 [Full Disclosure: I work for a security firm. One of the things we sell is managed systems.] From public data, most huge companies either get a huge company to do their security (BT, IBM, etc) or get a huge team of skilled professionals to permanently keep an eye on things. Most big (so not huge... never been good at talking!) companies will tend to have a small team within their MIS department. Then you get down to the SMEs. Any SME who wants to use email in the workplace now virtually always has an always-on connection of some kind, even here in the UK. The usual best-case scenario is a Windows 2000 box serving Internet. Occasionally there's a router with access-control. Something like 95% of SMEs in the UK have no real security. Unless they're on the large side, they probably can barely afford an IT guy at all. In their shoes, would you drain money with another salary or pay comparably little (a tenth as much?) for somebody to manage your systems? OK, so I'm only a geek, not a suit. Even so, seems plain to me. Just my $0.001 (I'm told I'm ten a penny...) Greg. Zachary Uram wrote: > i don't understand what someone would rely on an outsider to > manage their security structure? > it seems this is best handled on the inside (with firewalls, IDS, > etc..). and if you are just one of many customers won't you get > less intense/frequent scrutiny than if you had your own dedicated > security staff person whose job is to manage your network > security? Greg Sheard Senior Associate ECSC Ltd The information in this email is confidential and legally privileged. It is intended solely for the addressee. Access to the email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken upon reliance on it, is prohibited and unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing ECSC Conditions of Service. The contents of any attachment may contain viruses. Whilst ECSC has taken reasonable precautions to minimise risk we cannot accept liability for any damage you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachments. --__--__-- Message: 7 From: "Hank Wethington" <linux@info-logix.com> To: <firewalls@pluto.gnac.com> Subject: RE: Managed Service Providers Date: Wed, 27 Jun 2001 15:27:27 -0700 The issue is that a dedicated security person could cost an organization $60-$100+k a year, plus the hardware needed to do the job right. MSP's are a fraction of that. Finding a good one is a hard job. It comes down to evaluation an organization over time. Unfortunately because of the relative newness, that's tough. There might be a few changes in your MSP before you find a good one. I do think, that like people who call themselves Information Security Specialists, it is a weeding process. Get someone you trust, security wise, involved if you really need to go down that road and don't feel comfortable evaluating them your self. For all that's worth... Hank Wethington ================================================ Information Logistics www.GoInfoLogistics.com mailto:info.at.GoInfoLogistics.com ================================================ -----Original Message----- From: firewalls-admin@lists.gnac.net [mailto:firewalls-admin@lists.gnac.net]On Behalf Of Zachary Uram Sent: Wednesday, June 27, 2001 2:59 PM To: mht@clark.net Cc: Ron DuFresne; firewalls@pluto.gnac.com Subject: Re: Managed Service Providers i don't understand what someone would rely on an outsider to manage their security structure? it seems this is best handled on the inside (with firewalls, IDS, etc..). and if you are just one of many customers won't you get less intense/frequent scrutiny than if you had your own dedicated security staff person whose job is to manage your network security? Wed, 27 Jun 2001 mht@clark.net wrote: > Smoke and mirrors has been an issue with Managed Security Service since the > early 90's. also Buyer beware. How do you the person sitting back > watching the screens is actually a bonafide security type person and not > some person who got hired because they should up at DefCon and impressed > someone with their Pez collection (true story).. :) A lot of the debunking > is not the actual alert but really happens behind the scenes to determine > if one or many alerts are actually valid or not. Each environment can > generate their own typical noise or discard that normally traverses the > network on a daily basis. It is the MSP's job to sort through the noice or > discard and actually call the customer to tell them that their is an actual > intrusion or possible intrusion. Now this whole process seems a bit tedius > and the folks at ADT can probably provide better statistics on false > positives than an a MSP can, but back to the point, what value does an MSP > like DigitalMojo provide when if you read between the lines, they actually > outsource to other MSPs.. > > /m > > At 04:27 PM 6/27/2001 -0500, Ron DuFresne wrote: > > >smoke and mirrors has been one of the issues with managed service > >providers and especially managed security providers for sometime. Just > >becuase they may sell you a service for IDS does not mean alot if the IDS > >is setup on the exterior of the network and they are constantly alerting > >you and your staff of 'intrusion detections' 30-500 times a day. In fact, > >it tends to devalue such 'warnings' to the point folks tend to just start > >routing those reports to the trash bin. Thourough reading of contracts in > >such outsourcing aggreements is a must, as well as *understanding* what > >those contracts are really saying. > > > >Thanks, > > > >Ron DuFresne > > _______________________________________________ > Firewalls mailing list > Firewalls@lists.gnac.net > http://lists.gnac.net/mailman/listinfo/firewalls > uram@cmu.edu "Blessed are those who have not seen and yet have faith." - John 20:29 _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls --__--__-- Message: 8 From: "Hank Wethington" <linux@info-logix.com> To: <firewalls@pluto.gnac.com> Subject: Research information Date: Wed, 27 Jun 2001 15:24:24 -0700 I've been asked to evaluate Mandrake's Single Network Firewall 7.2 for a customer. I've conducted a few searches on Goggle and stuff and haven't found much information, except marketing, for it. From an initial look, it seems to be just using IPCHAINS and a fancy interface. It does have some nice built in features for a small company without a lot of technical expertise. I was wondering if anyone had experience with it in the real world. How is the performance? How do you feel about the security it provides. Is it just using IPCHAINS? I'm grabbing a copy and gonna check it out too, but I was hoping someone has seen it being used. Hank Wethington ================================================ Information Logistics www.GoInfoLogistics.com mailto:info.at.GoInfoLogistics.com ================================================ --__--__-- Message: 9 Date: Wed, 27 Jun 2001 15:37:23 -0700 To: "Greg Sheard" <greg@ecsc.co.uk>, "Zachary Uram" <zu22@andrew.cmu.edu> From: mht@clark.net Subject: Re: Managed Service Providers Cc: "Ron DuFresne" <dufresne@winternet.com>, <firewalls@pluto.gnac.com> A little off base, going from MSP managed an organization's corporate security to monitoring the end-nodes users. A majority of the MSP do not offer that kind of granularity unless a customer is willing to pay lots and lots of dough, therefore allowing the MSP to staff itself with more than 5 people for 7x24 coverage.. Remember design for 10, but seat 7 is always a MSP model to monitor up to 30 customers at a time. :) At 11:24 PM 6/27/2001 +0100, Greg Sheard wrote: [Full Disclosure: I work for a security firm. One of the things we sell is managed systems.] From public data, most huge companies either get a huge company to do their security (BT, IBM, etc) or get a huge team of skilled professionals to permanently keep an eye on things. Most big (so not huge... never been good at talking!) companies will tend to have a small team within their MIS department. Then you get down to the SMEs. Any SME who wants to use email in the workplace now virtually always has an always-on connection of some kind, even here in the UK. The usual best-case scenario is a Windows 2000 box serving Internet. Occasionally there's a router with access-control. Something like 95% of SMEs in the UK have no real security. Unless they're on the large side, they probably can barely afford an IT guy at all. In their shoes, would you drain money with another salary or pay comparably little (a tenth as much?) for somebody to manage your systems? OK, so I'm only a geek, not a suit. Even so, seems plain to me. Just my $0.001 (I'm told I'm ten a penny...) Greg. Zachary Uram wrote: > i don't understand what someone would rely on an outsider to > manage their security structure? > it seems this is best handled on the inside (with firewalls, IDS, > etc..). and if you are just one of many customers won't you get > less intense/frequent scrutiny than if you had your own dedicated > security staff person whose job is to manage your network > security? Greg Sheard Senior Associate ECSC Ltd The information in this email is confidential and legally privileged. It is intended solely for the addressee. Access to the email by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken upon reliance on it, is prohibited and unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing ECSC Conditions of Service. The contents of any attachment may contain viruses. Whilst ECSC has taken reasonable precautions to minimise risk we cannot accept liability for any damage you sustain as a result of software viruses. You should carry out your own virus checks before opening any attachments. --__--__-- _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls End of Firewalls Digest _______________________________________________ Firewalls mailing list Firewalls@lists.gnac.net http://lists.gnac.net/mailman/listinfo/firewalls