-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 1 Feb 2006, Paul Melson wrote:
> -----Original Message-----
> Subject: Re: [fw-wiz] FW appliance comparison - Seeking input for the forum
>
>> I think it would be interesting to know what type of group of was
> responsible for managing
>> the firewalls in the study. I am moving an account off of a Checkpoint
> being managed by a
>> services organization onto a PIX platform (no intent to start a vendor
> war) - and I have
>> been surpised by the permissiveness, and redundancy, in the "managed"
>> ruleset. The managed set broke two of the major rules in the documented in
> the paper - and
>> possibly a third if I had it on front of me.
>>
>> Of course this takes a new tangent; but it would be an interesting study.
>
> Haha! I have to tell you, as soon as I read this, I immediately thought of
> two vendors and am wondering if either of them are the vendor in this case.
> But embarrassing vendors - as fun as it is - isn't part of the list charter.
>
> The one thing that always struck me funny about these situations where an
> MSSP does a lousy job of remotely managing a Check Point rule base is that,
> in order to get Check Point's seal of approval, you've got to run
> Provider-1, which is a fairly large cash layout to start a service like
> that. But then to not spend much if any money on staff and staff
> training...
>
> I guess I shouldn't be surprised, but I am. And amused. But only because
> it's not my firewall. :-)
>
Ahh, MSSP's, interesting worked with a couple over the years and
discovered that again for the most poart they tended to staff with
contractors with the same skills as a monkey with a fine tool can
accomplish. Jhiring someone with or near to acquireing a CISSP, and
giving them enough training so they are somewaht familiar with the layout
of the gUI to manges a checkpoint firewall box, yet not a clue as to what
the ports and protocols residing on those ports means, ended up with
pretty much open routers for the vast majority of clients. Thing I got
into arguments about with fellow staff and managers all the time was; a
client makes a stupid request, so what to I as the responsible tech in
such a case do? My argument was, let the client know why there request to
open up the world to theit network in a nast way was in fact stupid, they
afterall were paying for my expertise and guidance. Should the client
still insist that I impliment the stupid request, then yes, it's their
network and they have a full right to do stupid things in their own nest.
What I was combatting were those lazy folks that just insisted the job at
hand was to impliment and close the ticket as fast as possible as it
looked good to upper mgt for the fast turn around.
Of course, I was often shocked at the SLA's that formed the basis of the
outsoourced security contracts, which often failed to mention or
request/demand that expertise on the MSSP side was truely a factor in the
managed needs of the clients. Noe gets what one bargainsand pays for....
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFD4ogqst+vzJSwZikRAjnkAJ4iVpPSLr1MGWqlTGnB3Z6iW6kgXQCeLaOX
sX4vC1lkuyxhEA6j7dUFi/w=
=OVwR
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 02 2006
Intro
