Protecting networks from outside attack is far too important to just run "by the numbers." Although a lot of discussion about firewall and VPN appliances involves performance numbers—and these are critical—IT managers should be even more concerned with how quickly firewall rules and alerts can be managed.
Furthermore, IT managers should turn their backs on any notion of security as a "service" for the same reason. Based on eWeek Labs testing, it is clear that high-end security appliances are too powerful to be placed in the hands of someone who wont suffer immediate and dire consequences if something goes wrong.
The confusion about threats and the fact that good security policies require an intimate knowledge of IT weaknesses are also good reasons for organizations to keep their security management in-house.
Finally, as we discovered, once again, in our examination of two high-end firewall/virtual private network appliances, Nokia Corp.s IP740 and SonicWall Inc.s GX650, creating effective access rules demands an intimate knowledge of how your organization works.
It isnt enough to put a service-level agreement in place and then proceed with monthly throughput and blocked-attack reports. Security appliances by their nature are throttles on network performance that must be adjusted to get the right balance between security and openness.
We were impressed with the Nokia IP740s ability to use Check Point Firewall-1 to push out access rules and security policies to test devices from a central location. We were able to write a rule once and easily distribute it to all the devices in our test network. In the real world, being able to deliver up-to-date rule sets that provide real protection for the network is just as important as the speed with which those rules process information.
Generically written access rules, the kind that are likely to come from a consultant, are easily made redundant or, worse, nullified by subsequent rules. This erodes productivity. Efficient, effective rules require an insiders knowledge of the organization.
This isnt to say that there isnt room for security consultants while planning and implementing a firewall/VPN rollout. In fact, outsiders are especially good at initially evaluating IT weaknesses and making recommendations to patch the most obvious holes.
However, IT managers should be leery of using outsiders to control access to the information and systems that are the basis for businesses, whether made of "e" or clay.