Firewall Wizards mailing list archives

Re: Outsourcing.

From: David Lang <dlang () diginsite com>
Date: Wed, 28 Apr 1999 19:30:10 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----

Another answer is to provide strong authentication to the dial-up line.
Here at work I have the ability to dial into our routers, but it requres a
one-time password to get in.

David Lang

 On Thu, 29 Apr 1999
Andrew_Bernoth () advantra com au wrote:

Date: Thu, 29 Apr 1999 09:37:41 +1000
From: Andrew_Bernoth () advantra com au
To: David Morrison <dmarriso () spacestar net>
Cc: Matthew_S_Cramer () armstrong com, firewall-wizards () nfr net,

     darrenr () reed wattle id au

Subject: Re: Outsourcing.



Hi,

I currently work for an outsourcing company.  We do look after a number of
firewalls for our customers.
In some instances we have been required, (thanks to sales), to put modems
on the back of our equipment.
At which point we ensure that the modem is not powered up, nor connected to
the analogue line all the time.
If we have a support issue we call a contact at the site who switches the
modem on and connects it to the
phone line.  One ingenious company put the modem on a 2 hour timer switch,
they push the button, we have
2 hours to fix the problem before the modem looses power.






David Morrison <dmarriso () spacestar net> on 28/04/99 02:36:52 PM

Please respond to David Morrison <dmarriso () spacestar net>

To:   Matthew_S_Cramer () armstrong com
cc:   firewall-wizards () nfr net, darrenr () reed wattle id au (bcc: Andrew
      Bernoth/AdvInt/Advantra)
Subject:  Re: Outsourcing.




My suggestion is that you get to know the individuals which are being
hired.




Matthew_S_Cramer () armstrong com wrote:

darrenr () reed wattle id au wrote:

Have others here had dealings with outsourcing companies and managed to

get

them to act responsibly with regard to protecting the integrity of their
clients' networks or have any stories about such a setup being exploited

(names need not be mentioned).


We currently have an outsourced firewall solution (*gasp* *groan*).  I am

not

going to name any company names but they are a huge ISP (global).  This
situation arose because no one here had a clue about internet security

(before I

came...blah blah).  Overall it hasn't been terrible, but I have the

following

problems:

   Lack of technical skill of the ISP / firewall manager.  Even though

they are

huge they still have clueless people in the NOC.  One example that comes

to mind

is one we experienced last year - we were getting piss-poor performance

of our

proxy server during normal business hours.  My theory - Pentium 90 BSDi

box is

too small to handle the load - it should be replaced.  Outsource

company's

theory - we had our DNS (we have split DNS) misconfigured.  After 6 weeks

the

outsourcing company concluded that the Pentium should be replaced by an
ultraSparc.  Voila!  Problem resolved.  *grrrrr*

   Lack of information for us.  We can't even touch the keyboard on the
firewall, let alone get a shell.  Even though I intuitively diagnosed the
problem above it would have been easier to prove to the ISP / outsourcing
company I was correct if I had access to the machine.

   Backdoors on the firwall - the ISP has a modem on the firewall!!!!

Overall, I think this is a good option for companies that have low

cluefulness

amongst their employees, or can't give 24/7 attention to a firewall using

only

internal employees.  But there are some security risks - namely you can't

see

what they are doing and there are reasons to be worried about

incompetence.


We will soon be switching to a more pleasant agreement with a ISP /

firewall

service vendor.  In this agreement they will "own" the hardware and the

OS and

be responsible for patching and replacing busted kit - but the firewall

software

/ rulesets / configuration will only be controlled by internal staff.

Getting

this compromise was the conclusion of over a year of campaigning by me

(I've

only worked here a year and a half).

Matt

Disclaimer: The above represents only my personal comments and does not
represent an official position of Armstrong World Industries concerning
companies with whom we do business.


"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy." 
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNyfEND7msCGEppcbAQH42Af/bkVgnz73rrKyS6tkatyMVJL61iikAWgz
ZbpCoINRJPxUDwCJ8PBRzN1zAWkmK3zLf8lL/VSKSWu5XYa68Wvbz9pD35i4kD9E
aQwGUMycUUrHAlzkbvWPx1474eU/Gg4hsWZGlV+m6fubjthLK/Rkj9BNLCxdfI+3
UJDYvDRl1a0Vm4Kf+kV6qZHDcA5reeVFGNN6rMZEi5RA04zPhHG6jrdXmRBIUj9Q
WBv2pHaPmV361vRW6PVbJlwVOrHlXBAb3tE/M3jlnjwPIY24gTLH+bnxkd4/r1VC
LL6bYj5MFFZRnKHtWaBX/v5vp+GLxr7vaj+2VxEgomK5EfIT6OVrVw==
=fI8T
-----END PGP SIGNATURE-----

Current thread:

Outsourcing. Darren Reed (Apr 19)
- <Possible follow-ups>
- Re: Outsourcing. Matthew_S_Cramer (Apr 20)
  - Re: Outsourcing. Darren Reed (Apr 21)
  - Re: Outsourcing. David Morrison (Apr 28)
- RE: Outsourcing. James Vaughn (Apr 20)
- Re: Outsourcing. Andrew_Bernoth (Apr 28)
  - Re: Outsourcing. David Lang (Apr 29)