Do any MSP/MSSP mandate networking hardware minimum requirements?
Posted by Thick-Block-268@reddit | sysadmin | View on Reddit | 21 comments
We're an MSP who has recently started transitioning towards an MSSP posture. As we tighten our MSA and SOW, one thing that has come up is networking hardware. Since the goal is to target compliance-regulated industries, we want to implement a "Minimum Standard" that outlines what's in our stack and must be implemented with no exceptions. So far this has not been a point of contention by any clients or prospects.
The question is, should this expand to networking hardware?
What model is ideal for an MSSP:
- Model A: Client BYO, but must meet spec. They keep whatever firewalls/switches/APs they already own, as long as the gear is on a written list of approved manufacturers and tiers (e.g., Fortinet, Sophos, Meraki, Ubiquiti UniFi business line, and WatchGuard), and exclude consumer-grade hardware, such as the ISP-supplied combo box or TP-Link, Netgear, etc. hardware they picked up at Best Buy or Amazon.) The client is responsible for licensing, firmware, hardware refresh, and replacement at end-of-life. We manage the configuration but don't own the asset.
- Model B: We provide the hardware via HaaS or outright purchase (mandatory). Every client gets an approved firewall, switch stack, and AP through our HaaS/purchase program, configured to our standards and refreshed based on the EOL schedule. The client has no choice in the matter
- Model C: Hybrid with grandfathering. We define an approved-equipment list. New clients get provided HaaS gear by default. Existing-equipment clients are evaluated at onboarding: if their gear is on the approved list and within its supported lifecycle, they keep it; if not, they either replace it at their own expense before onboarding or take on a HaaS as a condition of the engagement. End-of-life or end-of-support equipment must be replaced regardless of who owns it.
- Model D: Let the client use whatever networking hardware they want, and we explicitly tell them we cannot be held responsible in the event of a breach if an audit/forensics finds the breach due to a bad configuration and/or using consumer-grade hardware.
I'm leaning towards Model A or C. I don't really care for Model D, and the idea of mandating they use our equipment as outlined in Model C seems so harsh with an "it's my way or the highway" kind of tone.
If none of these sound like good options, please tell me how you're approaching this. I'm genuinely curious to know how other MSP/MSSPs are approaching this aspect of their business.
Potential_Force_4136@reddit
what helped us keep tabs on approved devices, so onboarding and compliance checks run smoother was atera, heard about ninjarmm.
Either-Act-3406@reddit
what helped us keep tabs on approved devices, so onboarding and compliance checks run smoother was atera, heard about ninjarmm
KAugsburger@reddit
Model D ends up just being a shit show. It ends up becoming really time consuming to support any networking issues if they have un-managed switches. I can remember some past places I worked where co-workers wasted hours before they tracked down a logical loop in a client that just had a mess of cheap switches. It also just becomes harder for staff to become proficient on troubleshooting issues if you have too many different vendors. Techs end up spending time trying to look up how you even do certain tasks because they have either never done them on this equipment from this vendor or it has been so long that they have forgotten. Generally it is going to be very difficult to ever get clients to upgrade to better equipment if you can't get it done when they onboard.
Model B is the ideal for the MSP but it can be a hard sell for many prospects. That can easily add thousands of dollars to cost to onboard a new client. Many companies are going to be reluctant to replace existing network equipment unless it is EOL with the vendor or they are already having issues. An MSP needs to be fairly mature where they have good marketing and they can afford to pass on some cheaper clients that don't fit this model.
Models A and C are the most common that I have seen. It makes it easier to sign new clients than model B but it keeps your support costs much lower than under model D. I would make sure that the contract makes it clear on the limits on supporting EOL equipment under model A. Many MSPs would prefer to push everyone to a HaaS model but there are going to be some clients that are reluctant to sign such a deal because it makes leaving a lot tougher if they aren't happy with the support. It is good to offer the option for the client to own the equipment outright. I have generally found that you can usually get most clients to move to your preferred vendors within 2-3 years if you are doing a decent job and your preferred vendor isn't crazy expensive.
anonymousITCoward@reddit
We have minimum recommendations, but will not enforce them. We still have clients that are running LinkSys 10/100 switches... Not LinkSys/Cisco... LinkSys...
Thick-Block-268@reddit (OP)
Yikes! Are they still on dialup? lol. How can they justify using such old hardware when there are dirt-cheap 1Gbps options?
anonymousITCoward@reddit
if it aint broke dont fix it...
Adimentus@reddit
10/100? In today's age? Does Barbara always complain about how slow her network application is running?
anonymousITCoward@reddit
nope, no complaints about network speed, if it works they don't care...
EnDR91-EC@reddit
Iot doesn't need more, industrial is mostly 10/100
pdp10@reddit
Much industrial uses 100BASE-TX because it only requires two pairs instead of four, and because a lot of these communications don't need any more bandwidth than RS-485 anyway.
BeagleBackRibs@reddit
It's surprising how little managers care about performance. I've migrated a company to cloud but warned them they need to upgrade their 10/100 phones first. Nope let's just migrate and deal with it later
gitblametherapy04@reddit
Yeah that's the classic technical debt tax, you fix the obvious thing and then wonder why the new system is slow until someone finally looks at the switch port stats and sees the 10/100 bottleneck.
Adimentus@reddit
That's insane to me. Even if their ISP isn't providing gigabit we still try to get the network stack on gigabit for internal applications and such.
EnDR91-EC@reddit
The good 'ol days
AtarukA@reddit
If we manage your IT, yes we mandate it or have you sign a waiver.
If we don't 100% manage your IT, then it depends on what we mange and the level of autonomy we are given.
CraftedPacket@reddit
Pretty much C. As an MSP this is how we are able to keep cost down. Standardizing clients on hardware we know works and we have the team to support. We are much more flexible with switching than firewalls.
Adimentus@reddit
Work at an MSP myself and we follow Model C until EOL and transition our clients to Model B. We ensure the client will get approved equipment and there will be little to no change to the network plan when we transition to our preferred equipment, and this is usually the case. Most of the time when we take on new clients that have an existing stack, they don't want to pay the tens of thousands that it would take to get a new stack right away, but we will give them the roadmap after evaluation and plant the expectation that this money will need to be spend X years down the road for security.
Smooth-Zucchini4923@reddit
Re Model C: Have you thought about training costs? If you have 5 different firewall providers, it might be expensive to train techs across all of them. Kind of depends on your scale and how specialized each employee can be.
Re Model D: I'm not sure how this liability limitation would work in practice. It's not always clear how an attacker first got into a network, especially if they can tamper with or erase audit logs. Also, usually there are multiple controls at fault for an attack.
illicITparameters@reddit
The only thing we ever stood firm on was active support contracts on firewalls/routers/UTMs. We always preferred customers went with our solution, but we also didn't care if they said "no" as long as they had support. Switching and wireless was pretty much whatever they had or wanted. We'd make suggestions, but also didn't lose sleep if they didn't take them.
Model B is the dream, but you'll have to deal with Model A and D at times as well.
bunnythistle@reddit
Honestly, I think a major factor in deciding on a MSSP would be if they would support our current infrastructure or not. Like yeah, if a potential client is running a 20+ year old Cisco ASA, then it'd be reasonable to tell them they need to buy something newer and currently supported. But if we have a bunch of Fortigates / Fortiswitches that are still vendor supported for several years, we almost certainly would not give much consideration to a MSSP that says "we don't support Fortinet, would you like to buy Ubiquiti?"
Even if we were near a hardware refresh, asking us to change infrastructure vendors would seem like a challenging sell - replacing a Fortigate usually just involves exporting the config, running it through a converter to update the ports to match the new model, and importing that into the new one. Swap outs take just a few minutes at most. Migrating to a different platform would likely be a lot more involved time and testing wise, that I'd rather just look for a different MSSP that would support what I have already.
malikto44@reddit
Depends on the client. If the MSP is in the 100% driver's seat, then model B. If the MSP is in a consultant position, then model A or D.
The ideal is model B, because overall, if the MSP is good, this provided the most resilency.