Great Circle Associates Firewalls
(October 1996)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Third Party ISP and firewall maintainers
From: Pierre-Yves Bonnetain <pyb @ cadrus . fr>
Date: Thu, 17 Oct 1996 14:01:00 +0100
To: alan @ mindvision . com, Firewalls @ GreatCircle . COM
Cc: firewalls-digest @ GreatCircle . COM
In-reply-to: <199610170022 . RAA17592 @ miles . greatcircle . com> (firewalls-digest-owner @ GreatCircle . COM)

>
>   I am assuming that:
> 
>   	a/ The administration mechanism is secure enough for your
>   	   security policy
> 
> 	b/ The hired administrators are trustable (according to your
> 	   security policy)
> 
> 	c/ The hired administrators are more capable/cheaper than
> 	   the in-house talent.
> 
>   It is my opinion that out-sourcing your firewall and i-net
>   connection makes alot of sense for companies w/ 20-5000 people.
>   Building the expertise to manage a firewall 24x7 is moderately
>   intense.  Companies such as Pilot, Exodus, INS, Netsolve can do
>   this far more efficiently, and, ideally, at a higher quality of
>   service, than in-house groups.
> 
>   As such, I see them, under the proper circumstances, as a win-win
>   solution.

   I do not concur with that. I have all too often seen ISP doing FW with
good stuff, good people and bad policy. I have even seen (soooo often) a single
FW protecting the ISP connection, such as

   <Internet> ---- <ISP Fwall> --- ISP client 1
                                |
                                --- client 2...

   Meaning, of course, that the ISP does leverage its fwall investment because
the same system is used to protect all its clients.
   First, not all clients have the same constraints, so this cannot be used. It
is silly.
   Secondly, even if all had the same constraints, what prevents one client to
attack another one ? We're all behind the same fwall, we're blind-trust and
security-light because this is our ISP problem, we pay him for that.
   Hell, for 50$ I can subscribe for a Dialup to this ISP and then I am _free_
to attack all his clients. That is an interesting functionnality...

-- 
-+-+ Pierre-Yves BONNETAIN (aka Pyb)
     Consultant Internet/Securite
     B & A Consultants - PROXIMA - Rue des Pyrénées
     31330 Grenade-Sur-Garonne - FRANCE
     Tel : 05.62.79.32.61 - Fax : 05.61.82.42.21

Indexed By Date Previous: SUMMARY: What is tcp/522?
From: Michael Jarvis <michaelj @ burrito . insource . com>
Next: Re: The great source code debate (WAS: Re: Checkpoint)
From: Adam Shostack <adam @ homeport . org>
Indexed By Thread Previous: Re: Third Party ISP and firewall maintainers
From: sazah @ ibu . sj . nec . com (Sunny Azah)
Next: DECNET, TCP/IP, and IPX
From: "Data Systems Bureau" <lasdsdn @ ix . netcom . com>

Google
 
Search Internet Search www.greatcircle.com