Outsourcing firewall management

With hacker attacks and viruses from the Internet becoming more frequent and malicious, companies of all types and sizes are examining security issues more seriously than ever before and taking steps to close potential breach points on their networks. The solution most commonly applied to deal with threats from cyberspace is the firewall, which enforces security by regulating access to and from the Internet, holding back unidentifiable content, and implementing countermeasures to thwart suspected break-in attempts while they are happening.

Stakes Are High

The 6th annual Computer Crime and Security Survey released in March 2001 confirms that security breaches are escalating, not diminishing, and that financial losses are mounting. Conducted by the Computer Security Institute (CSI), with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad, the survey found that 85% of corporate and government respondents detected computer security breaches in the previous 12 months.

Sixty-four percent admitted financial losses due to computer breaches. Financial losses reported by 186 respondents amounted to $378 million last year, compared with losses of $265 million reported by 249 respondents in 1999.

If the past is a sign of things to come, Internet attacks will escalate in the future and losses will continue to multiply. By year-end 2000, there were 21,756 reported incidents, according to the CERT (Computer Emergency Response Center) Coordination Center (Figure 1). In the first quarter of 2001, the number of reported attacks was already 7047. Assuming a linear growth trend, this means there will be over 28,000 incidents reported by year-end 2001.

The growth in the number of incidents is due to the widespread availability of automated hacking tools that can be downloaded from the Internet, from port scanners and war dialing scripts, to brute force password crackers--many with graphical user interfaces, help files and instructions for getting started. These and other tools offer easy entry into the apparently glamorous world of cyber crime, where even unsophisticated computer users can try their hand at launching attacks on unsuspecting companies.

However, with large enterprises now spending lavishly on security, many hackers are turning their attention to small and mid-sized businesses because they know such firms cannot afford the expertise required to configure and manage their own firewalls, much less take effective countermeasures to stop attacks in progress at any time of the day or night. Not surprisingly, the market for managed security is potentially a lucrative one, with revenues projected to reach $2.5 billion in 2005, according to The Yankee Group. 

For small and mid-sized businesses, outsourcing the responsibility for network security to an experienced service provider represents a cost-effective, no-hassles alternative to firewall ownership. In fact, acquiring security expertise is the biggest hidden cost of the do-it-yourself approach. 

The dearth of knowledgeable security personnel and the high salaries they command puts seasoned talent out of reach for many smaller companies. A carrier-managed firewall solution, on the other hand, allows small and midsize firms to implement best of breed security solutions at a fixed monthly cost, and without the ongoing hassles of recruiting and retaining quality staff.

A key stumbling block for SMBs is in performing an initial vulnerability assessment. This is a critical step because if not done properly or at all, the firewall’s initial configuration will not be effective.

This frees the organization to focus on core business issues, while benefiting from the service provider’s continuous network surveillance capability and the expertise of its certified security personnel, who are trained to deal with virtually any menace from cyberspace.

What Should a Service Provider Offer?

A managed firewall service consists of hardware, software, consulting, monitoring and management tools that continuously scan and analyze the vulnerability of an organization’s Internet-connected systems.

Firewall management is best offered in conjunction with the provider’s Internet services, including those provisioned over asynchronous transfer mode (ATM), frame relay, digital subscriber line (DSL), and integrated service offerings that combine voice and Internet services over the same access bandwidth. Assuming that the Internet service is already in place, a fully configured firewall can be put into place in 10 business days or less.

A key stumbling block for SMBs is in performing an initial vulnerability assessment. This is a critical step because if not done properly or at all, the firewall’s initial configuration will not be effective. This is where managed security providers can offer significant value.

The vulnerability assessment is often done with the same tools hackers use to discover and exploit breach points. Depending on the type of network, protocols, operating systems, and applications a company has, appropriate tools are selected that will test for the known vulnerabilities associated with these elements.

The vulnerability assessment can even be decoupled from the managed firewall service for use as a sales tool. Companies can be induced to request a network vulnerability assessment with a nominal fee, which can be waived or rebated when they subscribe to the managed firewall service. Alternatively, the vulnerability assessment can be offered free to the current Internet service subscriber base as a means of targeting pre-qualified customers and shortening the sales cycle.

After submitting the network to a battery of tests, the managed firewall service provider presents the customer with recommendations for fixing problems that have been identified. The recommendations will be codified in the form of rule sets that will be loaded into the firewall. At this point, the service provider must be prepared to take full responsibility for configuring and fine-tuning the firewall and for ongoing management.

Rule sets can be defined to regulate passage of traffic according to it source and destination, specific applications and types of files, users or groups of users, and even limit access to resources by time of day.

If incoming traffic contains an executable file that has the signature of a known virus, for example, that traffic will not be allowed to pass beyond the firewall onto the corporate network where it can do harm when opened. The content security capabilities of the firewall can spot suspicious files, weed out undesirable Web content, and put limits on the size of files that are allowed onto the corporate network.

For small and mid-sized companies, the value of a managed firewall service is in having an expert partner that will stay abreast of the latest developments and implement effective countermeasures to prevent unauthorized access to the organization’s online resources.

A good reason for having the firewall at the service provider’s location is to be able to service multiple smaller companies from the same shared system at a lower cost....Savvy service providers will offer both CPE and shared solutions.

Therefore, the service provider must also be prepared to take full responsibility for modifying the attack detection parameters of the firewall to deal with new threats. This entails establishing and maintaining contact with various network security watch groups, such as the CERT (Computer Emergency Response Team) Coordination Center and the National Infrastructure Protection Center (NIPC).

CERT/CC is located at the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania. Its primary goals are to ensure that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit damage and ensure continuity of critical services in spite of successful attacks. CERT/CC does this by focusing its efforts on survivable network management, survivable network technology, incident handling, incident and vulnerability analysis, and education.

NIPC is located in the FBI's headquarters building in Washington, DC. Its stated mission is to detect, deter, warn of, respond to, and investigate malicious acts, both physical and cyber, which threaten the nation's critical infrastructures, including telecommunications. The center coordinates the federal government's response to incidents and attacks. Security providers can join the organization’s InfraGard initiative, which provides the means to exchange information between government and private sector members.

Positioning the Firewall

The managed firewall can be physically located at the customer’s location or the service provider’s location. Offering the firewall as customer premises equipment (CPE) is advantageous when the customer wants to guard against internal threats and limit certain resources to only authorized employees.

In addition to regulating traffic flow between the public and private network, a firewall can be configured to regulate traffic between internal company networks, such as the subnets of human resources, marketing, finance, and legal departments. But with the firewall located at the service provider’s site, it would be inefficient and expensive to pass all intra-company traffic over the access link to reach the firewall for processing against various rule sets, and then send it back again to reach the appropriate subnet. Such backhauling inflates the cost of the service by requiring more bandwidth.

Furthermore, a firewall at the service provider’s location would not necessarily extend protection to branch office and telecommuter locations. This points to the need among service providers to offer customers a range of security solutions that fit a variety of specific needs.

A low-end firewall solution that protects corporate information stored on a telecommuter’s PC, for example, might consist of firewall software loaded and configured in a Netopia DSL router. This is important because DSL connections are always on, and hackers can come in through the Internet and mess with the personal data on the home computer as well as any corporate information it may hold. There is even the possibility of hackers using the telecommuter’s connection as a back door from which to launch an attack on the employee’s company.

For customers with an installed base of Cisco routers, the service provider may offer a combined firewall-router service that entails configuring the operating system’s security features. For enterprise-level security, the choices might include Check Point Firewall 1. If separate devices provide firewall and router functionality, it might be of added value to the customer if both devices were monitored and managed by the same service provider.

A good reason for having the firewall at the service provider’s location is to be able to service multiple smaller companies from the same shared system at a lower cost than provisioning separate firewalls at each customer location. Savvy service providers will offer both CPE and shared solutions.

Other Responsibilities

Regardless of the firewall locations and the scale of specific solutions, the managed firewall service provider will also have responsibility for maintaining backup copies of the customer’s rule sets for all locations, along with all the firewall passwords. A copy of the most recent router configuration should be kept as well, since this information is usually needed to reconfigure the firewall or router in case of a major system failure.   

It should take no more than a few hours for the service provider to fully restore a firewall rule set and associated configuration files. The changes are implemented remotely from the service provider’s Network Security Operations Center (NSOC) over an encrypted Internet connection. If the customer’s dedicated access connection is not available, perhaps due to an out of service transmission line or malfunctioning router, the service provider will use a dial-up connection to a modem attached to the firewall to upload the changes.

Performance Reports

A critical ingredient of any managed security solution is the ability of the service provider to furnish the customer with a performance analysis of the firewall, with recommendations on improving throughput and closing potential breach points. Implementing the recommendations could entail software changes, hardware upgrades, or bandwidth increases. The effect of these changes is that the customer’s network will continue to operate at peak performance without security being compromised.

The managed firewall service provider should be able to generate performance reports that can be accessed by the customer on a secure website using a browser that supports 128-bit key encryption. Often, customers will want their routers managed as well. By entering a username and password, the customer can view color-coded charts and graphs that summarize the quality of all the managed resources. Comparative performance data on specific network resources and groups of resources should also be available on the Web.

Performance reviews with the customer’s representatives should be held at least quarterly, focusing on the performance of the service provider over the previous three months. Other topics might include the effectiveness of recent rule changes, and any service-affecting incidents have may have occurred.

Security for All

In the “anything goes” environment of the public Internet, with its resident hacker population apparently eager to exploit any vulnerability, the challenge of maintaining a secure network may seem intimidating. The most effective solution is a firewall, but this involves the purchase of hardware and software, hiring skilled personnel, and changing business processes and practices--all very expensive propositions for smaller firms struggling to survive in today’s slow-growth economy.

Now smaller companies have immediate recourse--they can implement effective security and mitigate their exposure to risk by subscribing to a managed firewall service. Considering the cost of technical staff and the mission-critical nature of today’s networks, it makes good economic sense for small and mid-size businesses to outsource security management.

The need for affordable security solutions can be effectively addressed by carriers, ISPs and integrated communications providers that have a 24x7 network operations center with monitoring capabilities that go past the edge routers all the way to the firewall at the customer location. To maintain the effectiveness of the firewall on an ongoing basis requires certified security professionals who stay informed of the latest threats in order to respond quickly with appropriate countermeasures. 
Nathan J. Muller is Senior Technical Consultant at e.spire Communications, Herndon, VA. In his 30 years of industry experience, he has written extensively on many aspects of computers and communications, having published 19 books and more than 2000 articles in over 60 publications worldwide, including Telephony magazine. He can be reached at nathan.muller@espire.net.

Visit e.spire Communications online.