Hi,

I am trying to put together some information to give my employer to help convince them they should use a firewall for their internet and service provider connections. They tell me that the firewall is at the service provider. I know that that explaination is not a sound one, since in most service provider contracts it contains a clause that the customer is responsible for security of the connection to the ISP and service provider. My question is: Since my backgroud is not technical in nature, can anyone share with me information that would explain the reasons and benefits why, even though a service provider for critical processing is used, a firewall should be considered for internal connections out (and in) to the ISP and service provider.

Do you work for a bank? If yes, you had better get on the internet firewall project because a firewall is required.

Your internet connection, whether through dial-up or DSL, is an open line and it is possible for someone to access your PC or your Network through the internet connection - when it's open - and therefore access your files, etc.

While there are service providers that offer some level of security to their customers if you aren't running with onsite security equipment it is very unlikely you are properly secured. I think the easiest way to put things in perspective is to sit down and go through the FFIEC Information security booklet and see how you do. It can be found at http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html#infosec

If you are a small bank you may want to consider outsourcing some of these functions. (ok.. so I'm biased). I also have a set of Frequently asked questions that deals with this issue. If you email me I'll be happy to send it along.

One argument here:
You don't know jack about your ISP's hiring practices, and your members/customers deserve to have someone chosen *BY YOUR FI* securing the systems your employees must use.
I've worked in corporate information systems for a while. One ISP tech support guy I knew actually had an arrest record with the FBI for hacking.
You really wanna' trust a general-purpose ISP security setup to provide you security?
Get a more bank-oriented computer security person to set up your network.

There is no need to depend on an ISP for security - you need to maintain a firewall at your end and whatever entity that handles internet banking needs to maintain a firewall, etc. at their end.