The Hidden Opportunity: Managing And Supporting Firewalls

Historically, the only option for dedicated access was costly T-1 lines and enterprise-class firewalls. But as digital subscriber lines (DSL) and cable-modem connectivity become more prevalent and stable, SOHO and SMB customers increasingly have a place to turn to for lower-cost alternatives. Even branch offices of large, multinational organizations are evaluating the possibility of replacing their dedicated T-1 lines with DSL or cable-modem lines. Making the switch to either technology from dial-up or dedicated connectivity, however, requires the connection to be secured through the use of a firewall.

For VARs, selling firewall technology has been a good revenue stream. Unfortunately, firewall technology has become more of a commodity, and margins are shrinking, leaving VARs to search for new revenue sources. One such source is the support and management of the firewall. So just what are the opportunities, and how can VARs move to the next level beyond just selling the product? Read on.

Meeting In the Middle

Let's first take a look at the landscape. Until just a few years ago, there were enterprise-class firewalls,and little else. Then a new class of products that could best be called residential gateways were created. These were simple boxes that typically included Ethernet hubs, performed primitive network-address translation and automatically served up TCP/IP addresses. They really weren't firewalls as we now know them, though they did provide some protection for office/home and small-business users.

SOHO/SMB firewalls are the next step up, and a nice middle ground between residential gateways and firewalls for the enterprise. They come in a variety of shapes and styles, both in hardware and software formats. Hardware firewalls are a single-product approach. You need install only one device at the Internet entry point,be it DSL/cable modem,and the network is always protected. It doesn't matter which OS you are using, because nothing is required to run on your networked systems. These devices are configured through a Web-based interface. The downside is they tend to be more pricey than their software counterparts.

On the software side, there are a couple of different options. Newer OSs, such as Windows XP and Apple Mac OS X

v. 10.2 (known as Jaguar), include personal built-in firewall technology. Add-on personal firewalls, such as Zone Lab's Zone Alarm and Internet Security Systems' BlackICE, are good alternatives to consider, as well.

Granted, software-based firewalls tend to be less costly, but they require that the firewall application be run on every system on your network. If you have several systems to manage, that can add up from an administrative perspective. And if you forget to run or a user disables the firewall software, then your system is as good as unprotected.

Software products are also platform- specific; therefore, you may need to purchase one product for your Windows-based PCs, another for your Macs and yet another for your servers.

Closing the Gap

Traditionally, a gap has existed between the sophistication of SOHO/SMB firewall products and their big-brother enterprise models. Today, that gap has been significantly reduced and, in some cases, eliminated. You're now able to get the sophistication of the most advanced enterprise firewalls in a smaller, less costly form factor that is better-suited for the SOHO/SMB market. Many times, hardware products are favored over software solutions because of their ability to eliminate the vulnerabilities of the OS, network-card drivers and general user error, such as forgetting to load the software. For that reason, we focus on the former in this article.

Three examples of hardware solutions for SOHOs/SMBs are NetScreen's 5xp, SofaWare Technologies' S-box and SonicWall's SOHO3 (see "Security Solutions For SMBs And Home Offices," page 42). Although that is not a comprehensive list, those three products will provide your customers with some of the more advanced technology available today,including stateful inspection and distributed denial-of-service protection. Hardware firewalls support traditional broadband connections, including static IP, dynamic host configuration protocol (DHCP) and point-to-point protocol over Ethernet (PPPoE), and connect directly between a DSL/cable modem and internal network.

So far, SOHO firewalls don't sound very different from residential gateways; they are fairly plug-and-forget and don't require much configuration. These products, however, offer additional value to VARs. First, NetScreen Global PRO, SofaWare SMP and SonicWall Global Management System all can be managed remotely using each company's remote-management solution. All three also come with one or more additional value-added services,such as e-mail filtering, antivirus screening and managed security services,that can add to the coffers of the savvy VAR. While there are certainly standalone or third-party tools that provide some or all of these services, such as Norton's AntiVirus software or separate e-mail filtering products, these services are a good first cut for the average small business and provide much more protection for less than buying a separate product.

Adding Value

Firewall services are a useful way for VARs to enhance SOHO products and, at the same time, produce additional revenues and business. Here's how.

Each service requires some configuration and knowledge of the customers' requirements to provide the best security package. The good news for VARs is that the level of expertise required to administer these products isn't much beyond that of a good security engineer.

As an example, say a 10-person business is interested in having an antivirus solution to protect its incoming communications. The business could purchase 10 copies and then install the antivirus software on each desktop, or it could make use of the built-in antivirus screening tool from the firewall and save itself the hassle of maintaining 10 separate copies of the software. The VAR comes out looking good for providing a service that is easier to maintain and still offers a similar degree of protection.

Another area of opportunity for VARs is in educating customers. Many SOHO/SMB customers believe, naively, that once a firewall product is installed, they're protected. Unfortunately, the education process for consumers hasn't proliferated like that of virus protection. There are even customers who believe their systems connected via broadband are safe if they have virus protection installed.

Similar to how virus protection should be required on all systems, firewalls should follow the same path and be required on all broadband connections. Purchasing a firewall is just the first step. Firewalls require regular care and feeding to maintain their level of protection.

Customers also often overlook the additional costs for the administration and maintenance of a firewall. The downside to a SOHO/SMB consumer is that it can be very costly to hire dedicated security consultants, let alone bring a security professional on staff,not to mention the cost to recover an attack, should one occur, can be devastating to a customer's business. That is an opportunity for the VAR both in educating the SOHO/SMB customer and providing a cost-effective managed security service offering.

So, what's a VAR to do? Educating the SOHO/SMB customer is the first step.

"Education is critical," says Dan Sanguinetti, CEO of PC Professional, a VAR based in Oakland, Calif. "Customers are in an education mode. They've never had to think about security, but in this day and time they must."

In addition, helping customers understand the risks and how to protect themselves against them will both build their consciousness of security and their relationship with you. But the opportunity goes well beyond extending relationships with customers. The justification to either hire a dedicated security consultant or bring one on staff to manage and support their firewalls is simply cost-prohibitive for them. As stated earlier, using products such as those offered by NetScreen, SonicWall and SofaWare lets a VAR remotely manage each company's devices respectively.

In addition, a VAR using these tools can create a managed security offering for the SOHO/SMB market at a much lower cost to the customer. Not only is the offering a product in the form of the firewall, but it's also a service to securely manage remotely. Structured Communication Services, a VAR based in Portland, Ore., has done just that.

"Every company needs [protection]," says Ron Fowler, president and CEO. "They don't have the staff [or] other layers required to manage and monitor their firewall. Using tools from SofaWare and NetScreen, Structured has successfully pursued this business."

Many of the management products support the remote deployment of generic security policies to groups of firewalls. This eliminates the need to create a custom configuration for each firewall. In fact, most customers fit into one of just a few categories.

The first category is those who use their connection only for outbound access (i.e., Web browsing or POP access to e-mail on a remote server). This category is probably the most common category into which SOHO/SMB customers fall. The second category includes the first, but with a public Web server hosted internally. Likewise, the third category includes the second, but with the e-mail server located on the customer's internal private network.

Setting up the security policies for each of these three scenarios is easy to do. These products can also accommodate situations where a customer requires a more complex and, often, custom configuration. In addition to managing security policies on firewalls, each of the products can be remotely updated with patches and firmware updates. That is yet another benefit the VAR can provide to its customers using these technologies.

Certification Considerations

Educating yourself is equally important to educating your customers, and is a first step for any VAR who wants to offer a managed security service. Certified Information Systems Security Professional (CISSP) and Global Information Assurance Certification (GIAC) are worthwhile certifications to have. GIAC costs $425 when taken on its own, or an additional $250 when taken in conjunction with another SANS course offered by the SysAdmin, Audit, Network, Security Institute. CISSP costs $450 per course.

Certifications from the vendors of other products you're supporting are also good to have. Once you're confident with the technologies and understand the security methodologies to deploy them, you're ready to provide the service.

The final point is to stay on top of patches, updates and threat announcements. Subscribe to the more common security e-mail lists and bulletin updates. Staying in tune with what's happening in the security space is critical to staying ahead of the ever-present deluge of threats.