Managed Security Service: A Primer

We've all heard the term, but what is this market all about? Here's an in-depth survey.

Lisa Phifer and David M. Piscitello

Recent years have seen tremendous growth in outsourcing all aspects of IT, creating a burgeoning market for managed services. Companies seeking to outsource typically expect providers offering managed services to supply the whole enchilada, from consultation and planning to hardware, software, administration, monitoring, and help-desk support. Customers can thus leverage a service provider's infrastructure and expertise to sidestep the relentless capital investment needed to keep pace with technology.

When aspects of enterprise security are outsourced to an ISP—which is happening more and more—we've got a managed security service. There are several types of managed security services: managed VPN services, managed firewall services, even managed secure application or webhosting services.

Minding others' business
Nearly all such managed security services share a distinguishing characteristic: Hardware and software—even on a customer's premises—are supplied and managed by the ISP. A few providers allow hardware to be comanaged by the customer. Most ISPs also include pre-sales consultation to assess security risk and vulnerability, security policy configuration, 24x7 NOC support, some form of realtime, proactive service-level monitoring, accounting, and reporting.

To get a better feel for typical features and emerging trends, we surveyed several commercially available managed security services. We limited our survey to security infrastructure services: VPNs, firewalls, intrusion detection, anti-virus protection, and active content management (filtering and blocking). To maintain focus, we did not include secure application services—email, web hosting, enterprise resource planning—that are increasingly offered by a different kind of service provider: an ASP (Application Service Provider).

Our findings—the core of this survey—are summarized in a comprehensive table, below. We precede the table with some observations pertinent to each major category of managed security service.

Managed VPN
The lure of reduced-cost remote access for corporate travelers and teleworkers has fostered growth in managed Virtual Private Networking services, although it's still early days. Today, several ISPs market services for remote access (RA) and branch office (BO) site-to-site tunneling. Few offer secure Extranet communication between business partners and customers.

VPNs can be supported with a variety of tunneling technologies: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), Internet Protocol Security (IPSec), and other circuit or application proxies. We found IPSec most common, with fair diversity in hardware platform, nearly always located on the customer' premises. Pilot Network Services' approach (see table entry) is a noteworthy exception here.

Our survey table also identifies features that caught our attention, such as token-based authentication, integration of public key infrastructure (PKI), and service level agreements (SLAs). For example, GTE offers proactive monitoring and money-back guarantees for the following SLA: 99.9 percent availability and 125 ms or less round-trip latency between NOC and VPN CPE, 97 percent busy-free remote access or industry average, whichever is higher. Customer network management (CNM) provides on-line access to real-time and historical usage data.

Managed Firewall
Firewalls existed long before VPN, so it's not surprising that the managed firewall market appears more mature and consistent in its deployment. The majority of the ISPs we surveyed use CheckPoint's Firewall-1 for stateful packet inspection [see sidebar]. We found few providers willing to manage application proxy firewalls on behalf of customers. Of course, some ISPs combine both packet inspection and proxy approaches; PSINet even uses two platforms to accomplish this.

In many cases, one CPE firewall provides an integrated platform for both managed VPN and firewall services. A customer may subscribe to a managed firewall service and later add VPN support. Nearly every managed firewall service we saw involves CPE; AT&T/IBM Global Services is an exception to this rule. As with VPN, our survey table also identifies features that caught our attention, such as analysis reports, detailed logging, incident response support, and network forensics consultation.

Additional security services
Starting out, we expected to find services like Anti-Virus Protection, Active Content Management, and Intrusion Detection sold as free-standing managed security services. What we found was that, often, these services are included as a feature or add-on option with a managed VPN or Firewall service.

When included in a managed security service, Anti-Virus Protection (AV) may involve in-line scanning of packets flowing through a firewall or VPN device, or it may involve deflecting packets to an AV server using the content vector protocol. Some mail server AV products scan just email, an extremely popular carrier for infected attachments. As expected, we found most AV services to include regular updates.

We use the term Active Content Management to refer to services that filter or block traffic based on destination or user. Typically a firewall add-on subscription service, these products limit employee access to undesirable sites to reduce non-business activity and bandwidth consumption. They also allow enterprises to keep tabs on URLs or files being accessed. Half of the ISPs surveyed offer this service; this is a growth market.

The most prevalent managed security service, after VPN and Firewall, is Intrusion Detection. IDS platforms may probe individual hosts, servers, or scan entire networks. The key to offering a managed Intrusion Detection service is automated scanning, incident response, and escalation procedures. Corrective action must be initiated automatically; it is not enough to warn of intrusion after the damage has been done. The most successful managed ID service providers will be those that do this well.

Final thoughts
It's no surprise that managed VPN services are taking off more slowly than analysts initially projected. We found ISP sales staffs often had to rely on engineering to provide service details. This must improve, because managed VPN consumers are large enterprises that have a greater "need to know" than $20/month Internet access customers. We found many managed VPN services described in rather sketchy terms—with some noteworthy exceptions (Transport Logic, Concentric).

Most managed security services are not yet "complete packages"—they include some combination of single service offerings of the categories we surveyed. And while a number of ISPs have SLAs for QoS, we did not find a single ISP with a Security SLA. We expect these situations to change as the managed security services market matures. Security requires expertise; customers must be assured that ISPs really know what they're doing. This requires complete solutions with money-back guarantees.

The information included in this survey was drawn from service provider web sites and responses to email inquiries. This survey is intended to be representative, not exhaustive. Please contact service providers directly for further information on any managed service that interests you.

Managed VPN Table
Managed Firewall Table
Additional Services Table

—End