Re: Outsourcing.

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Matthew_S_Cramer () armstrong com, sie wrote:
> We currently have an outsourced firewall solution (*gasp* *groan*).  I am
> not going to name any company names but they are a huge ISP (global).
> This situation arose because no one here had a clue about internet
> security (before I came...blah blah).  Overall it hasn't been terrible,
> but I have the following problems:
>
>    Lack of technical skill of the ISP / firewall manager.  Even though they
> are huge they still have clueless people in the NOC.
[...]

One tactic often deployed where the company charged with providing the
services is taking over control where a large department has been doing
things is to take on some of those staff.  Of course, if those staff
aren't all that savy in the first place, then you don't gain much from
the effort except a change in paper trails and flow of money...

[...]
>    Lack of information for us.  We can't even touch the keyboard on the
> firewall, let alone get a shell.  Even though I intuitively diagnosed the
> problem above it would have been easier to prove to the ISP / outsourcing
> company I was correct if I had access to the machine.
>
>    Backdoors on the firwall - the ISP has a modem on the firewall!!!!

You should have argued for (at least) non-administrative access so that you
could review their changes, etc (and promise not to make use of any exploits
that become available and aren't fixed quickly ;).  You may even wish to ask
for this from your prospective provider.

Darren