Bose Corp. was doing an adequate job using its own staff to protect its network from hacker attacks, but the company wanted to take a more forward-looking and coordinated approach to its WAN-related needs.

So Bose, which makes high-performance audio equipment, outsourced its security function in 1998 to Genuity. "We were good at [security] when we did it ourselves," says Bose CIO Rob Ramrath "But we were mostly looking in the rearview mirror. We wanted to take the situation we had and position it for the future."

That future involved combining Internet access, Web hosting, extranet development and VPN services with managed security in one outsourcing agreement, Ramrath says. Genuity maintains and monitors one firewall at Bose's main office in Framingham, Mass., as well as the firewalls in front of Bose's Web servers located in Genuity's network operations center.

Tips from those who have been there:
  1. Determine what security services you want from a provider, and find a supplier willing to meet your condiitons.
  2. Do a cost analysis.
  3. Listen to recommendations from you peers.
  4. Make sure you're comfortable working with your security outsourcer as a partner.

Bose is one of many companies that has gotten over its initial trepidation at the thought of giving control of security to an outside vendor.

The driver for outsourcing security for many companies is the belief that up-to-date security measures involve more than just a firewall. Nowadays, you also need things like intrusion detection, round-the-clock monitoring and electronic fraud prevention. The downside is these approaches require highly skilled people to make sure the applications are integrated well and function properly.

To avoid the high price tag associated with hiring and retaining network security professionals, many companies - regardless of their size - are going the outsourcing route.

Ron Hilliard decided two years ago that his health maintenance organization needed help monitoring its firewalls, but he realized he didn't have anyone on staff with the necessary knowledge, time and resources to do the job right.

"The biggest part was keeping someone in-house with the knowledge and who was up to date on the current [security] technology," says Hilliard, a network engineer at Health Alliance Plan in Detroit. "And there were days when someone would make a change to the firewall and would go home or be on vacation."

Hilliard looked at various companies that specialized in outsourced security services, sought guidance from Gartner analysts and consulted with his peers before selecting Atlanta's Internet Security Systems (ISS).

Currently, Health Alliance Plan contracts with ISS to monitor its four firewalls for computer viruses. ISS also set up the organization's Check Point 4.0 VPNs, which connect Health Alliance to its customers and a trading partner.

Although Hilliard estimates that Health Alliance saves between $20,000 and $30,000 annually by outsourcing its security services to ISS, there's a part of him that would still like to bring security back under his control. "I would love to bring that technology back in-house, but right now we don't have the technical savvy to do that." Hilliard says. "You're handing over the keys to the castle. But it's better to hand over the keys than to open yourself up to an attack."

Saving money was the driving force behind Richard Guetzloff's decision to hire Telenisus to monitor his company's firewalls. Guetzloff, senior director of enterprise services at R.R. Donnelley & Sons, figures that "a good firewall guy" would cost $100,000 per year.

"I couldn't hire a person for a year for what [Telenisus is] doing for me over two years," he says.

Guetzloff chose Telenisus last November because the company agreed to be flexible with contract terms and because of its proximity to R.R. Donnelley, a 34,000-employee global printing and information services company in Chicago. Guetzloff says Telenisus'offering was the maturest at the time.

"We depend heavily on the Internet to transfer files on what we're printing for customers," he says. "These files have to move around 24 hours a day, seven days a week."

And he's pleased with the way things have turned out. Guetzloff says he's more confident that his network is being protected "because I have a bunch of experts" watching it. Without Telenisus, "I'd have to hire a support guy who wouldn't necessarily be as educated on the latest security issues," he says.

SLAs are key
One of the most important items to consider in an outsourced security deal is the service-level agreement (SLA).

Genuity implements Bose's policy changes, monitors its firewall application and responds to security events in accordance with the terms spelled out in the SLA. The agreement also covers reaction processes for security breaches, reaction times and repair times.

Ramrath and his IS team meet with Genuity staffers every three months to review Genuity's work for the previous three months. During these meetings, the two teams discuss problems that arose, whether service levels were missed, how cooperation can be improved and how to leverage Genuity's services in the future.

Genuity's standard SLA for its managed firewall service is 99.9% uptime, while a high-availability SLA guarantees 100% uptime. Additionally, firewall rule changes that are received by 6 a.m. have to be implemented by Genuity by the close of the next business day.

Hilliard and his staff create the policy changes for the firewalls on a daily basis via a secure connection to the ISS Web site, and ISS engineers implement them. Each ticket is labeled urgent, serious or unimportant. When Hilliard talks with an ISS engineer, he says he gets consistent service no matter which engineer it is.

By outsourcing firewall monitoring and intrusion detection to Telenisus, R.R. Donnelley has a group of security experts watching the integrity of the firewall rule changes, and has service-level agreements that guarantee availability "all the time" and a high level of responsiveness, Guetzloff says.

Telenisus agreed to make mission-critical firewall changes within an hour, and all other policy changes within 24 hours, he says. "Telenisus oversees the policy changes to make sure we don't put ourselves at risk," he says.

This kind of prevention could be the most compelling part of outsourcing security management and monitoring. "It's going to keep [the customer] ahead of the hackers," says Jon Forcade, director of product management at Telenisus.

Implementation issues
After Health Alliance selected ISS, the outsourcer visited Health Alliance's corporate office in Detroit to install several Unix servers and modems in the data center, Hilliard says. Health Alliance also runs Web servers in the data center.

Outside the data center are four Check Point firewalls with Check Point 4.0 VPN software and ANX encryption. Behind the firewalls are two Cisco 4000 and 7000 routers and a Cisco ES 5500 switch. The ES 5500 connects to the Cisco 2900 workgroup switches on each floor of the building.

A WAN connects the corporate office to the organization's other main office in Southfield, Mich., and four field offices around Michigan. ISS monitors Health Alliance's firewalls via a secure Internet connection to the data center in Detroit.

ISS's managed security services center in Atlanta monitors all the traffic sensors in an organization, typically with firewalls made by Check Point, WatchGuard and Cisco.

Telenisus and Genuity provide managed security services to customers as part of a larger package of network services. After working with a customer to determine the security needs, Telenisus security engineers set up monitoring equipment at the company's security center in Chicago and at the customer site. Customers can assess whether Telenisus is meeting terms of their SLAs via a Web portal.

"Security is more of a series of processes, a chain of events, we set up with a customer," says John Summers, director of product strategy at Genuity. Once the process, commonly known as event escalation, is established, Genuity begins to monitor a customer's routers, firewalls and Web servers via its network operations center in Burlington, Mass.

While event escalation procedures vary from customer to customer, the goal is the same for each managed security services provider: Keep customers' networks secure.

Analysts say outsourcing network security is a no-brainer for businesses that don't have the experience, expertise or resources to manage their firewalls correctly.