There’s an art to firewall management. Managed services providers (MSPs) need to restrict network traffic to keep malicious content out while enabling businesses to communicate freely with their partners, customers and prospects. MSPs also need to update policies in response to new threats and client requests and continually monitor firewalls for alerts — and manage it all in a way that’s most efficient and profitable.
Klaus Gheri, Vice President of Network Security at Barracuda, offers advice on firewall management best practices that can help MSPs successfully provide this service.
In general, what are best practices MSPs should follow with firewall management?
Gheri: Firewall management is often comprised of three distinctively different aspects:
- Initial setup and configuration — the latter can be exclusive with the MSP or partly available to the client, depending on a product’s ability to facilitate role-based administration.
- Life-cycle management — this includes keeping the product up to date with vendor patches and monitoring its operation.
- Security event management — this is a premium service where the MSP also moves in when relevant security-related events are triggered by the firewalls (i.e., botnet traffic is intercepted trying to leave the LAN). In the case of the latter, this often includes reporting services and log analysis and retention services.
When it comes to the different components of firewall management, the client should always be aware of what is and isn’t included in their contract. Further, MSPs should also have a clear understanding of how much work is associated with each of these options in order to make sure they can provide the service in an economically viable manner. An upfront setup fee is advised to help cover the costs of the initial deployment, which tends to be more time-consuming than maintenance and upkeep.
How can MSPs balance the need for security with the need for the client to not inhibit communication/internet searches as needed?
Gheri: There is a natural trade-off between attainable protection and non-interference with client traffic. A good product will only very rarely create false positives from a security standpoint. When it comes to internet access policies like web filtering, it is much harder to go by a one-size-fits-all approach. Here it makes sense to clearly communicate to the client what the default policy is and allow the client to change it or help the client to adapt it accordingly. As such, it is important to be able to open up select parts of the security policy configuration to the client within the confines of well-defined SLAs.
What is the most efficient way for MSPs to deal with alerts and audit logs?
Gheri: Alerts that can be produced by the firewall need to be classified according to a severity rating. Additionally, notification thresholds, e.g., the same event must happen more than this many times through a certain timespan, can help to reduce alert noise. Typically, there are only a handful of alerts that need administrative attention. A firewall filtering out an attack through its IPS capabilities, for example, is an interesting fact for a report and brings out the value of the product. However, it is nothing that anybody needs to know about instantly. If the CPU load of a firewall starts to go through the roof, that is a different issue altogether and should trigger an alert with the MSP.
Audit logs are great for forensics needs and to create activity reports. There are vendor-specific tools available, and most vendors offer their own log retention and reporting products. Log retention should be part of the service package, and, of course, longer retention periods will incur greater service cost.
MSPs aren’t just managing one firewall for one client, but multiple firewalls. What is the best way to ensure all the bases are covered?
Gheri: When managing multiple firewalls for a client, it is key to make use of powerful, multi-tenant capable central configuration management services. The ability to share policies and settings between firewalls; integrated life-cycle management capabilities to facilitate simple patch management; and, integration with zero-touch deployment services to simplify initial deployment and RMA handling, are key.
A REST API interface to both the central management and the individual firewalls also allows for integration into the MSP’s proprietary platforms, which are often used to provide the client with a dashboard view of their managed firewalls.
Another important requirement is the ability to propagate alerts from the firewalls into the central management systems, and from there onto an MSP’s own security and event management system in order to handle operations and security-related events that may occur on the firewalls.
What procedures should MSPs follow when the client adds new services?
Gheri: In a perfect world, the client can enter such requests through a portal from where the request can then be converted into a REST API call, which will update the firewall policy.