In part 1 and part 2 of this network security series, I explained how to plan a general structure, get management's involvement, and prepare your users for your network security system. In part 3 , I described hardware and software options, and I explained how to determine the best options for your project. In this Daily Drill Down, I’ll cover the architecture, purchasing, installation, and initial configuration of your network security system.
So, who gets to take your money?
Okay, so you’ve decided on an external firewall. In fact, you’ve decided on two, because the Internet is important to your business and you want to have load balancing, load sharing, and failover in case something happens. Let’s say you’ve decided to use two Nokia firewalls and have your remote users connect with SecuRemote. You have a few hundred users internally—and only a few valid IP addresses with which to work.
Now is the time to make that phone call to your friendly neighborhood reseller. These people can be your best friends, your worst enemies, or somewhere in between. An important step in ensuring the success of your security project is to find a good reseller and develop a solid relationship with them.
So how do you go about finding a good reseller?
Start by asking around. I’m sure you have colleagues who have gone through this process, and they’re usually willing to share their experiences. Unfortunately, more often than not you’ll find out which resellers NOT to use—but that’s as important as finding out which ones to choose.
Next step: Crawl the tradeshows. Get cards, talk to people, and see what’s going on.
Finally, read the information security magazines. All of the major resellers and service providers advertise in the big information technology and security magazines, and from there you can easily build a list of people to talk to.
The hard sell
Before you start calling people on your list, be prepared. Have at hand information about your current situation and your requirements. A reputable company will get you to the right sales rep for your area immediately. If you like the people you talk to, ask for a meeting with the sales rep and one of their implementation engineers. If the sales rep doesn’t agree immediately, that’s a sign something is wrong with the company.
When the sales rep and the engineer arrive, talk to them both. Some folks have a tendency to discuss technical details with the engineer and ignore the sales rep entirely. This approach is not the way to begin your sales relationship with the rep. If you’re not talking with the rep because you don’t like him or her, or can’t really deal with the person, this is not the company for you, even if the engineer is great. Your sales rep decides how much you pay for your machines and how easy the acquisition process goes, so he or she is the most important part of this deal.
Finally, ask for references from the company. Any good reseller will be able to give you at least a few local references who are willing to talk with you about their experience with the company. If the reseller can’t provide any references, they aren’t the ones to deal with.
What should you buy, why should you buy it, and why does it cost so much?
Once you’ve found a good reseller, you need to place your order. At this point, most resellers will attempt to sell you a security audit. Often this is a good idea, and I recommend it for a lot of companies. If you don’t have the internal expertise to determine your risks and requirements, a good audit will give you an honest assessment. And it can definitely provide you with an indication of the quality of the reseller. If the reseller sends two engineers to your company for three days, they poke and prod everything, and then give you a thorough report listing the good and the bad, you know you’re getting an honest assessment from an honest reseller. If on the other hand, the report is three pages long and looks like a marketing brochure for whatever it is the company is selling, kick them out of there as fast as you can.
Once the audit is done, the reseller will attempt to sell you architecture services. Once again, for many companies this is a good idea. The people who design these systems are very good at what they do, and they deal with networks like yours every day. They know what works—and what doesn’t—and what can be made to work in a pinch. Even though architecture services can cost you up to $2,500, they can save you serious money. In the short run, architecture services prevent you from buying too much machine for your network, or from making expensive choices that won’t work with your requirements. In the long run, they ensure you have a system that you won’t have to replace as you expand or add new applications.
At this point, you can start ordering the hardware. My advice is to bid the entire system out to one reseller all at once. A good reseller will be able to put all the products you want on a single plan for you, and then start knocking off the retail cost. In general, the more you buy from a single reseller, the better deal you’ll get. And you have the added benefit of going to one source for support, parts, and warranty service.
You have the hardware—now what?
So, now your hardware is finally delivered, and it’s time to install and configure it. Once again, you have a few options.
The first option is to attempt to put in the system yourself, with no assistance and no training. Obviously, I think this is generally a bad idea. Even a seemingly simple firewall configuration is a very big deal. I have yet to see a firewall that can be dropped in without some tweaking and twisting, and unless you have the experience and training necessary to deal with these problems, your security project will be a total nightmare.
A second option is to have your reseller install and configure the system for you. It’s a sure bet your reseller is going to try to sell you on this approach, and it may be the best choice for your company. This is especially true if you know you won’t be able to spare the labor to do the job or dedicate someone to maintain the system. The going rate for implementation services is between $2,000 and $2,500 a day, with the average project running three days. A highly trained and experienced engineer will come to your site, set up your system, configure it based on your security policy, and ensure it works. The disadvantage to this approach (other than the cost) is that once the highly trained and experienced engineer leaves, you are either on your own or dependent on the reseller to provide you with support.
A third option is to get trained on the firewall system in question, then do the install. Once again, your reseller will be happy to sell you training for your firewall. Training courses currently range in cost from $1,200 to $2,500, and are probably the single best investment you can make in this process. A good basic training course will cover the installation and basic configuration of the machine in question, along with some simple troubleshooting techniques. Most vendors also offer a more advanced training program covering high-end configuration, advanced functions, and optional extras. Typically, training classes last from two to three days; often a package is available with both the basic and advanced course offered in a single week. There may even be a certification with the training. Your reseller may be able to arrange training on your site, tailored to your specific needs.
I recommend that you take the training and have the engineer come onsite to assist you with the installation and configuration. That way, you get practical experience setting up your system, and someone who knows your security system is there to teach you the tips and tricks not covered in the courseware. I’ve always had the best results with this method, and I recommend it to almost everyone.
Is there anything else you should think about?
There is one other option, which may be the best choice for a lot of companies: managed security services. What this means is that you call up a company and say “I need a firewall,” and the company does it all for you. It sends someone to your site, performs an audit, determines your needs, builds a system for you, buys it, installs it, configures it, and then maintains it, either remotely or onsite. This setup offers some pretty big advantages. For example, you don’t need to have any internal expertise. There are no headaches with purchasing, dealing with vendors, and getting support, and you don’t need to worry about paying an employee $75,000 a year plus benefits because the company has a bunch of people pre-certified and ready to go. Also, these shops generally provide 24-hour-a-day, 365-days-a-year support. Getting that same support from the vendor of the firewall may cost more than the firewall itself.
Of course, none of this is cheap. That’s the only bad thing about this whole scenario. You pay for the convenience of having someone else deal with it. I honestly think this is a worthwhile tradeoff for many companies. If you don’t have the labor to handle this project on your own, I recommend looking into a managed firewall solution.
Chris Dinsmore is a senior network architect for the Salinas Group, a prominent network security services and consultancy organization. He’s certified in several major firewall and network management platforms, and hehas eight years of experience in the support, administration, and security fields. Prior to working with the Salinas Group, he operated a successful MIS and network consulting business for seven years.The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.