Managed Security Services

Survey of Managed Security Service Providers:
Managed Firewall

ISP-Planet's biennial survey of MSSPs finds a wide variety of managed firewall products, service level agreements, and add on services.

by Lisa Phifer VP Core Competence, Inc. [May 16, 2003]

Managed Firewall Services (see chart) establish a security perimeter between the customer's network and Internet access link(s). The provider is typically responsible for firewall hardware/software (HW/SW) installation and provisioning firewall rules to reflect the customer's security policy. Remote management and 24/7 event monitoring are usually provided from the MSSP's Security Operations Center (SOC). All services in our table are link-independent and include 24/7 monitoring and automated response unless otherwise noted.

Most providers install customer premise equipment (CPE) firewalls at the Internet-facing edge of the customer's network. Two survey participants (AT&T and ClearPath) offer network-based firewall services, where rules are implemented at the customer-facing edge of the provider's network. Network-based firewalls require access links from the same provider; CPE firewalls are usually link-independent.

In either case, always inquire about service bundles when purchasing both security and network access. Link-independent services leave more room for local bargain-hunting. They let you buy security from security specialists, networking from network specialists. On the hand, bundled services mean a single responsible party for installation, upgrades, trouble-shooting and billing. Also, tight coupling can sometimes improve performance—for example, when managing quality of service end-to-end.

As in 2001, CheckPoint Firewall-1 (FW-1)/ VPN-1 dominates our firewall platform list—but this year, many are using CheckPoint software on Nokia hardware. Cisco (and to a lesser extent, NetScreen) appear to be chipping away at CheckPoint's lead. In addition, many providers now support several off-the-shelf firewalls or custom firewall appliances. Both trends seem to be intended to increase service differentiation. Some MSSPs want to deliver unique, high-quality services by building a better mousetrap. Others want to become platform-agnostic, delivering a wider range of solutions in hopes of expanding their customer base.

We asked each provider to describe their procedure for handling policy updates. When outsourcing, customers worry about losing visibility and control—addressing these concerns is essential. MSSPs should authenticate all policy change requests, whether submitted by phone, secure web portal or e-mail encrypted with PGP (Pretty Good Privacy). Providers differentiate change handling by offering stronger authentication, more extensive pre and post-change verification, and expert analysis to identify impact and suggest alternatives to reduce risk.

Providers were also asked to explain how firewall service reports and logs are made available to customers. Secure Web report access is the norm; real-time or download log access is reasonably common, but hardly universal. A major benefit of outsourcing security is to offload the enormous chore of log analysis. But visibility is still important. Customers may want to spot-check logs to increase confidence or to learn more about an attempted attack. On the other hand, reports and logs contain sensitive information and should only be accessible to designated Points of Contact (POCs).

Most firewall services are accompanied by Service Level Agreements (SLAs) that specify certain procedural or health and performance metrics. Provider SLA responses are briefly summarized in our table, but actual SLAs are carefully-written contracts (see our Sidebar on Service Level Agreements). The best SLAs (SLAs "with teeth") include penalties for non-compliance, usually in the form of credits against future service. But note that most SLAs guarantee service, not security. To be compensated for business loss due to attack, consult your business insurance policy, not your SLA.

We also asked providers to identify managed firewall service add-ons. High Availability (HA) and VPN are quite common—in fact, these add-ons often leverage standard features built into firewall platforms. Most providers also mentioned other security services included in our survey. For example, MSSPs usually run vulnerability scans against firewalls after installation to verify compliance with customer policy. Future scans may be included with the firewall service or purchased separately. See "Comments" for add-ons like these and additional notes about each service.

Next week, in part 3 of our survey, we will cover managed VPN services.

—End