I would appreciate any comments on firewall management.
I recently have been faced with the choice between paying for a firewall management service at $1000+ in setup costs and $175 / month there after or deciding on managing the firewall myself.
We have hired some outside contractors to setup our networks and they have built this firewall management service into their proposal, but I am not sure that we necessarily need it and would like to remove it from the proposal to save some cash.
The outside contractors chose the Cisco ASA5510 and the managed firewall service for the box will include:
security updates in the form of patches, releases and upgrades
event log analysis
enforcement point management
Basically, I am asking, is it worth it? Would it be hard to manage the firewall on my own? I am a programmer with a basic understanding of networks.
I'm not sure I would trust that service: they aren't charging ENOUGH to be able to do a good job of policy administration, incident detection, and event log analysis -- not unless you are a very small organization whose network is already partly sheltered by someone else's firewall.
Based upon your wording, I would deduce that you have never managed a Cisco PIX or Cisco ASA. If I am correct, then chances are quite small that you would be able to provide the above management services to your company for less than the equivilent of $175 per month (wot, roughly one day's pay per month?), taking into account your startup costs of learning the ins and outs of the device and your startup costs of writing a -correct- event log analysis program.
Even if you only get 1500 events per day, that'd be 45000 events per month that would have to be correlated and analyzed. To be able to analyze that in less than a day's work (i.e., costing your company a day's pay per month in lui of paying the consultant $175 per month), you would have to analyze the events at a rate approaching two events fully analyzed per second. And if you have a company large enough to warrant a 5510 instead of a 5505, then you are very likely going to get a lot more than 1500 events per day. (For example, we collect 200,000 to 300,000 events per day for 500-ish IP addresses.)
The only company that I know of that could -plausibly- manage event log analysis and incident detection at a marginal rate of $175 per month for a very small network, would Counterpane Security... and I'm relatively sure that they would charge a LOT more than $1000 to set everything up for you.
[Of course, you shouldn't naively trust what one bundle of hot hair (i.e., me :) ) says about firewall management. Before committing either way, do some credibility analysis, such as searching google groups on a key of author:roberson group:comp.dcom.sys.cisco ]
Assuming you like them and they normally do a good job... SNAP THAT DEAL UP! It's a very good price. Especially for the continuing maintenance. I have to believe that the only reason they are offering you these prices on the firewall is because they have your other business and would like to keep it that way. There is no way in hell that a contractor would offer you these prices for the firewall alone. At least I sure never would. Hell, 175/mo? At a (routine) rate of $120/hr or so, that would only account for a little more than an hour. Hell, he'd tie up that much time simply collecting your requirements. Much less for making the change itself!
You have deduced correctly. I have never managed a Cisco PIX or Cisco ASA.
I was not sure whether 175 was cheap or expensive. You obviously believe it is cheap, and I suspect that they are charging such a low price because our network is extremely simple with only 3 ips behind the firewall.
MTM Technologies is not one I had heard of before. They do seem to be big and doing well in the marketplace.
Checking google groups, searching for "MTM Technologies" and eliminating all the various job offering newsgroups, I find only 6 references to them, only one of which actually says anything about the company (a press release that happened to get listed into an anti-spam newsletter.)
When I google the company, I find page after page after page of financial references, and nearly no third-party references in the time I was willing to spend looking.
The financial information and company job description suggest that they are definitely not a two-bit company, but the fact that they aren't getting discussed gives me pause. It could be partly explained if they had a major name change, I suppose, but that aforementioned press release is from 2004, and two years is quite sufficient time for people to have mentioned the work of any major security company.
Ask them how many hours per month are included for the monthly rate of 175 USD. If they say that they'll look after your firewall for 2 or more hours per month (and they really do it ...) their offer seems fair. Ask them what kind of reports they'll produce and look at examples of those reports before you sign the contract.
In general the offer seems quite allright to me. Ask them to keep you informed about everything they do on the firewall (what they have done, when they did it and how long it took them). Make a contract about how changes in the policy have to be authorized. Apart from routine tasks like log analysis, generating reports and the installation of (urgent) security patches they must not do anything without prior confirmation from you.