Managed Security Services

2006 MSSP Survey, Part 2:
Managed Firewall Services

ISP-Planet's biennial survey of MSSPs finds a even more features than ever—but make sure you understand what's included and what's extra when you compare services.

by Lisa Phifer VP Core Competence, Inc. [December 20, 2006]

Everyone with an internet connection needs a firewall—from consumers with residential broadband to Fortune 100 enterprises with multi-homed fiber. Perimeter firewalls form our first and last line of defense, controlling and auditing the traffic that enters or leaves our networks. Firewalls can also establish trust boundaries inside networks; for example, to protect server pools, isolate wireless access points, or track access to regulated data.

Firewalls were perhaps the first network security need to be satisfied by providers. Many early providers bundled firewalls with internet links, treating access control lists and traffic logs as network service options. Even today, carriers routinely supply broadband routers with integrated stateful packet inspection filters. However, these provider-supplied firewalls are not managed services—they are merely unmanaged platforms.

A managed firewall service typically includes expert firewall installation and provisioning, on-going change management, platform maintenance, historical reporting, and 24/7/365 security event monitoring. All but one participant in this year's Managed Security Service Provider (MSSP) survey offers this type of service, detailed by the chart shown at right (click to view full size).

The exception in this year's list is Fiberlink, which no longer offers a managed network firewall but instead offers host-based security services covered elsewhere in this survey.

The firewall platform is usually located at the edge of the customer's network—commonly referred to as customer premises equipment (CPE). Some providers are willing to host that CPE device in their own data center (or at a data center operated by a local ISP partner). A few providers deliver customer firewall services from shared platforms (multi-service switches) within their own network—this is known as network-based or "in the cloud" service delivery. In this year's survey, 13 managed firewall offerings were CPE-based, while 6 were also available with hosted CPE. Just three surveyed providers (AT&T, MegaPath, and Perimeter) offered network-based managed firewall services. AT&T's network-based offering was the only link-dependent firewall in this year's survey.

Just two MSSPs—Unisys and Verizon—specifically described managing customer-owned firewalls. That can be appropriate for a large enterprise with significant platform investment that wants to outsource labor-intensive tasks. However, most MSSPs prefer to supply the platform along with services because doing so creates a familiar environment in which to repeatedly apply the same knowledge and tools. Customers benefit from the provider's investment while reducing their own capital equipment outlay.

Back in 1999, most surveyed providers supported one firewall: either Cisco PIX or Checkpoint Firewall-1. Over the years, we have watched providers embrace a broader mix of all-in-one appliances and purpose-built firewalls. This year, Juniper Netscreen joins Cisco PIX and Checkpoint as the most commonly-cited firewalls. Unified Threat Management (UTM) appliances were mentioned about half as often, including Fortinet, SonicWALL, Cisco ASA, and ISS Proventia. Even MSSPs that sell their own UTM appliances (IBM ISS, SecureWorks, Symantec) now also support other platforms. On average, this year's MSSP supports three firewall platforms, and multiple models within each product line. Many providers noted the importance of matching customer needs to platforms and features. For example, if you plan to procure additional security services in the future, you may wish to start with a UTM appliance.

In fact, managed firewalls are often the launch point for deploying additional security services. Several MSSPs (AT&T, Getronics, IBM ISS, SecureDesigns, SecureWorks, Unisys, Verizon) incorporate virtual private networking as a standard feature of their managed firewall offering. Getronics and IBM ISS throw in several additional security services, including anti-virus, anti-spam, and web filtering. Many others offer those security services as extra cost add-ons, installed on the same or separate platforms.

Our detailed chart reflects provider responses, summarized and formatted to facilitate comparison. To simplify feature comparison, we asked each MSSP to indicate support for a checklist of common firewall capabilities. Stateful Packet Inspection (SPI) turned out to be the only capability included by every service. High Availability (HA) was also universal, but many MSSPs charge for that as an option. Proxy and Application Layer firewall capabilities were fairly common, included in about half of the services, available as an option with most of the rest. To our surprise, a few firewall services lack Denial of Service (DoS) Protection or Demilitarized Zone (DMZ) support. This simple example demonstrates that one should never assume that services delivered on similar platforms will actually include the same capabilities. Some differences reflect packaging—for example, when DoS protection is supplied under a separate IPS offering. When shopping for a managed firewall service, start with an explicit requirements list and compare bottom line prices after factoring in all required features/options.

Of course, a managed firewall service is far more than the sum of its platform capabilities. Key differentiators include the provider's change management, monitoring, and reporting processes. Hiring an MSSP means entering into a partnership. Every successful partnership requires solid agreement regarding responsibilities, division of labor, and communication paths. The right MSSP for your business should be capable of off-loading the tasks that you actually wish to delegate, performing them quickly and correctly, and supplying you with actionable results and recommendations.

To give you a feel these characteristics, we asked MSSPs to identify whether firewall rules were configured by the provider, customer, or both. We also asked them to briefly describe their firewall rule change and verification process, including any related service level agreements (SLAs). As shown in our chart, 7 providers are exclusively responsible for firewall configuration, while 9 are willing to share that responsibility with customers. Which model is best? That depends on your in-house expertise, business needs, and internal change management process. Consider the time required to implement change requests, the expertise necessary to assess potential operational and security implications, and the need to verify or reverse requested changes. Look for clear, easy-to-use, but secure interfaces through which to submit and track requested changes.

Finally, compare event monitoring and reporting features, we asked MSSPs to indicate whether firewall events were monitored by the provider or customer, how those alerts and related logs are supplied, and if automated response is part of the firewall service. Answers here varied, reflecting differences in philosophy and practices. For example, Verizon offers two managed firewall services: one with and one without firewall event monitoring. Several MSSPs offer both fully-managed and monitor-only services, giving customers the option of retaining configuration control while delegating resource-intensive monitoring to the provider's 24/7 Security Operations Center (SOC). To decide which is best for your business, consider how and when you will be informed of security incidents, the process used to escalate, investigate, and respond to those alerts, and the tools and knowledge required to analyze threats and take action in a timely manner. Don't wait until your firewall gets flooded by the next worm outbreak to start thinking about these questions. Use SLAs to quantify your expectations, then insist that your firewall provider meet them.

Firewalls excel at identifying and permitting good traffic. Recognizing and automatically stopping bad traffic starts at the firewall, but is increasingly augmented by complementary security measures that dig deeper into message content to assess intent.

In the next installment of this series, we will examine one closely-related security service: Managed Intrusion Detection and Prevention.

—End