Network Computingwww.networkcomputing.com

In selecting an outsourcer, take the opportunity to draw on the service provider's experience to fine-tune your security. As part of your outsourcing research, try to gauge the provider's expertise by talking to other customers and asking about employees' experience and training.

Also, use caution in developing a security plan and communicate clearly defined business requirements to the vendor when outsourcing. Remember that firewall security also involves any trading partners who access your network via an extranet or intranet.

Firewall location typically depends on whether the firewall service provider is your WAN provider (this is PSINet's model), or if the firewall can be managed regardless of the WAN (as was proposed by Intermedia and Technologic Software). Centrally locating the firewall at the WAN provider's premises lets the service provider maintain it in a secure facility, eliminating the need to send field technicians to the site to make changes. Housing the equipment on your site, on the other hand, means you will need to provide a secure location and allow access to the service provider's technicians--but other than plugging in a few wires, you need not be concerned about much else under this arrangement. Location has a direct impact on security if you are using a VPN between sites (see "Firewall Location," page 123). The final mile, such as a frame-relay PVC (Permanent Virtual Circuit), will be exposed to network analysis if the VPN is terminated at the central site and the data is sent in the clear to the network.

Many service providers also incorporate IDS (intrusion detection service) in the package. An IDS server sits near the firewall on the internal side and monitors traffic attempting to traverse the firewall, which serves two purposes: If an attack is detected, central administrators can take immediate action, and the service provider can ensure that its firewall is properly configured.

Another key benefit of outsourcing security is round-the-clock monitoring and management. Sure, 99 percent of the time your firewall will silently sit in the network, passing packets according to your security policy, but what happens when you're attacked in the middle of the night or the firewall crashes on a holiday? Someone needs to take action. NOCs (Network Operation Centers) established by the service provider are staffed; you'll need to train support personnel and define security incident procedures.

A downside of outsourcing is that making configuration changes may take as long as 24 hours, and problem resolution becomes very time-consuming if you're stuck in a service provider's work-order queue. Because emergencies usually get first attention, run-of-the-mill issues and changes can fall by the wayside, which may affect the timeliness of your security.

With regard to pricing, our aforementioned RFP shows that there may not be a huge difference in price. Both Intermedia and Technologic submitted figures within $15,000 of each other, while PSINet and WorldCom proposed much more expensive solutions (though PSINet's proposal included WAN costs). For the extra cost, you get 24x7 monitoring, IDS services, threat assessment and extensive initial consultation--all worth the price.

So where does that leave us? Managing your own firewall makes sense when you have the resources and skills in-house. For the incremental cost of equipment, you get complete control over your network security by choosing best-of-breed products tightly integrated with your business needs. For smaller shops that lack the resources to devote to firewall management, outsourcing can be a cost-effective alternative.

Send your comments on this article to Mike Fratto at mfratto@nwc.com.