Monday, October 15, 2007

MSSP Survey Part 2:Managed Firewall and Intrusion Detection Services

Today, it's well understood that every Internet-connected business requires at least one perimeter firewall—perhaps several, depending upon number of locations, size of workforce, and need for high-availability. Most businesses also require some degree of Intrusion Detection (IDS) to confirm that attacks are not occurring inside their network perimeter (e.g., penetrating firewalls).

These firewall and IDS "best practices" may be very common in large enterprises, but they still aren't easy to design, deploy, administer, and monitor efficiently. Smaller businesses increasingly rely on turnkey security appliances, but lack the in-house expertise to understand whether their deployed defenses are actually effective. Managed Security Service Providers (MSSPs) can help customers to focus on their own core businesses by offloading these network security tasks.

Managed Firewall services are still a staple for nearly every MSSP participating in our survey, creating a foundation upon which to deliver many add-on or complementary security services. This year, Managed Intrusion Detection offerings have become nearly as prevalent.

However, the line between perimeter firewall and intrusion defenses has become increasingly thin—in some cases, entirely absent—with the advent of Intrusion Prevention (IPS). In this year's survey, we note a marked increase in IPS services, paired with or integrated into firewall/IDS offerings.

Laying The Foundation: Managed Firewalls
Click to view firewall chartNearly every MSSP participating in this year's survey offers one or more Managed Firewall services (see chart). Two participants (Aventail and Fiberlink) focus exclusively on secure remote access and thus do not appear here. AT&T does offer Managed Firewall and IDS (IP Security) services, but did not submit firewall/IDS details this year.

MSSPs deliver Managed Firewall services by taking responsibility for firewall hardware/software installation and policy configuration to reflect customer needs. Typically, MSSPs manage firewall rules and monitor firewall events remotely, 24x7x365, from a Security Operations Center (SOC).

Basic firewall service attributes are fairly consistent across the board. For example, all of the firewall services in this year's survey are CPE-based, access link-independent, and include 24/7 monitoring and automated incident response, except where otherwise noted in our chart. Most are optionally available in high-availability configurations, although architectures do vary (e.g., active-passive, active-active, stateful failover).

Several MSSPs now offer more than one firewall service. For example, ClearPath offers the only network-based firewall service in this year's survey, but also sells a CPE service, based on its own security appliance. ISS offers separate "managed" and "monitored" firewall services, the distinction being whether firewall events receive expert human scrutiny at the SOC. Unisys offers both a standard TCP/IP firewall service and a web application firewall service. Finally, most providers now employ more than one firewall platform, sold under a single service, but selected and deployed as needed to meet each customer's requirements.

In fact, although CheckPoint is still very popular, we're now seeing Cisco PIX and Netscreen (aka Juniper) nearly as often. Fortinet, SonicWALL, Symantec, and WatchGuard appliances made appearances this year, along with proprietary appliances from ClearPath, ISS, PresiNET, SecurePipe, and SecureWorks. The number of providers that now employ more than one platform appears to indicate a move away from one-size-fits-all solutions. After all, you don't need to buy a turnkey box from an MSSP—you can buy those on-line. Expect your MSSP to select the right firewall(s) to meet your company's needs, configure them properly, and keep a full-time watchful eye over them.

As we do each year, we asked providers to describe their procedures for handing firewall policy updates, log and report delivery, and incident response. For many providers, this is where the rubber meets the road—these are time-consuming tasks that require careful scrutiny and security expertise. They are also sensitive tasks that require delegation of selected responsibilities to the provider, while leaving the customer in the driver's seat. It is difficult for a survey to directly compare such processes, but responses to these questions can give you a feel for each provider's overall approach, level of customer interaction, and attention to security. For example:

* Most providers now offer secure, web-based "customer portal" access to logs and reports. When choosing a provider, look carefully at supplied information to ensure you receive sufficient visibility without overwhelming detail. See IDS/IPS for incident response handling.

* Most providers now support on-line change requests, submitted through a customer portal, with status tracking and completion notification. Look for differentiating features like strong authentication of the requester, pre-implementation review/impact assessment, and post-implementation verification.

Most (but not all) firewall services are accompanied by Service Level Agreements (SLAs) that specify certain procedural or health and performance metrics. SLAs still vary quite a bit, and may be customized when negotiating service contracts. Still, we recommend asking your MSSP to quantify its commitments and to stand behind them with future-credit or money-back guarantees. If you require such commitments from your in-house security staff, you should expect no less from your MSSP.

Finally, we asked providers to identify managed firewall service add-ons, since many higher-layer services are sold only in conjunction with underlying network or firewall services. VPN, IDS, and (to a lesser extent) Content Filtering were very common in this year's survey. Many providers also offer complementary services like network scanning—remotely-initiated scans are helpful to demonstrate that your firewall is doing its job



http://www.isp-planet.com/technology/2004/mssp2.html