There’s an art to firewall management. Managed services providers (MSPs) need to restrict network traffic to keep malicious content out while enabling businesses to communicate freely with their partners, customers and prospects. MSPs must also update policies in response to new threats and client requests, continually monitor firewalls for alerts and manage it all efficiently and profitably.
Klaus Gheri, Vice President of Network Security at Barracuda, offers advice on firewall management best practices that can help MSPs successfully provide this service.
What are the best practices MSPs should follow with firewall management?
Gheri: Firewall management is often comprised of three distinctively different aspects:
- Initial setup and configuration – the latter can be exclusive with the MSP or partly available to the client, depending on a product’s ability to facilitate role-based administration.
- Life-cycle management – this includes keeping the product up to date with vendor patches and monitoring its operation.
- Security event management – this is a premium service where the MSP also moves in when the firewall triggers relevant security-related events (i.e., botnet traffic is intercepted trying to leave the LAN). In the latter case, this often includes reporting services, log analysis, and retention services.
When it comes to the different components of firewall management, the client should always be aware of what is and isn’t included in their contract. Further, MSPs should also clearly understand how much work is associated with each option to ensure they can provide the service in an economically viable manner. An upfront setup fee is advised to help cover the initial deployment costs, which are more time-consuming than maintenance and upkeep.
How can MSPs ensure security without restricting communications and internet searches?
Gheri: There is a natural trade-off between attainable protection and non-interference with client traffic. A good product rarely creates false positives from a security standpoint. However, it is much harder to go by a one-size-fits-all approach when it comes to internet access policies like web filtering. Here it makes sense to communicate to the client what the default policy is and allow the client to change it or help the client to adapt it accordingly. As such, it’s essential to open up select parts of the security policy configuration to the client within the confines of well-defined SLAs.
What is the most efficient way for MSPs to deal with alerts and audit logs?
Gheri: Alerts that the firewall can produce need to be classified according to a severity rating. Additionally, notification thresholds, e.g., the same event must happen more than this many times through a certain timespan, can help to reduce alert noise. Typically, there are only a handful of alerts that need administrative attention. For example, a firewall filtering out an attack through its IPS capabilities is an interesting fact for a report and brings out the product’s value. However, it is nothing that anybody needs to know about instantly. On the other hand, if the CPU load of a firewall starts to go through the roof, that is a different issue altogether and should trigger an alert with the MSP.
Audit logs are great for forensics needs and for creating activity reports. Vendor-specific tools are available, and most vendors offer their own log retention and reporting products. However, log retention should be part of the service package, and longer retention periods will incur greater service costs.
MSPs typically manage multiple firewalls for each client. So what’s the best way to ensure all the bases are covered?
Gheri: When managing multiple firewalls for a client, it is vital to use robust, multi-tenant capable central configuration management services. The ability to share policies and settings between firewalls, integrated life-cycle management capabilities to facilitate simple patch management and integration with zero-touch deployment services to simplify initial deployment and RMA handling is vital.
A REST API interface to the central management and the individual firewalls also allows for integration into the MSP’s proprietary platforms, often used to provide the client with a dashboard view of their managed firewalls.
Another critical requirement is the ability to propagate firewall alerts into the central management systems and onto an MSP’s own security and event management system to handle operations and security-related events that may occur on the firewalls.
What procedures should MSPs follow when the client adds new services?
Gheri: In a perfect world, the client can enter such requests through a portal from where the request can then be converted into a REST API call, which will update the firewall policy.