Security Basics mailing list archives
RE: Network Engineer vs. Network Security Engineer
From: Uzair Hashmi <uzair.hashmi () kse com pk>
Date: Tue, 12 Jan 2010 10:04:34 +0500
Here is the simplified version of whatever my friends discussed. Think of roles from the perspective of Owners and Custodians. I.e. they are owners or custodian of an information asset. Owners are your Management (if any, like finance etc) or the Company itself. Now the person who is operating the network and have access in terms of making the things work is called Network Engineer, he / she is the custodian of this asset. Whereas Network Security Engineer helps the Network Engineer to achieve compliance and standards, w.r.t. policy or regulation etc. He / she is not the custodian of the information asset, but is the custodian of the process how things are managed. So he / she better not have the explicit administrative access, however for a periodic security review both can sit together and find out the gaps in compliance. A penetration test performed by the Network Security Engineer, would be an alternative approach for a security review, but it is recommended only if you have achieved a certain confidence level. Otherwise there would be leg pulling between the teams. In your case, make your boss (or the person you report to) transparent about the issues, and identify him about the risks involved in the current configurations of the equipment. Document these risk and mail to the Network Engineer and CC to his boss and yours too. He should listen to you and take appropriate actions as your guidance. Hope things are clear now, and a line (having no end points) have been drawn. Best Regards, Uzair -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Lauren Twele Sent: Tuesday, January 12, 2010 3:22 AM To: Michael.Barber () wellsfargo com; martinez85 () att blackberry net; security-basics () securityfocus com Subject: Re: Network Engineer vs. Network Security Engineer Are you using an identity management product of any sort to set rules and policies and to monitor audit logs? IDM products also assist with provisioning and de-provisioning of employees. On 1/11/10 12:31 PM, "Michael.Barber () wellsfargo com" <Michael.Barber () wellsfargo com> wrote:
My 0.02 on the topic. First. Any single point of failure.. such as only one person with access to the systems is poor policy and/or management. Who audits the actions of the sole access individual? After that, job roles and definitions have some guidelines.. but, this sounds like more of an internal politics fight. Turf wars are great. A discussion and review on separation of duties would seem appropriate. http://www.sans.edu/resources/securitylab/it_separation_duties.php Good luck. Thanks, Mike Barber Security Analyst PowerBroker, VAS and UnixSecure Support IST - Unix/QA Infrastructure Services (Charlotte) o. (704) 427-0512 m. (704) 607-8879 Charlotte, NC -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jason Hurst Sent: Monday, January 11, 2010 10:45 AM To: martinez85 () att blackberry net; security-basics () securityfocus com Subject: RE: Network Engineer vs. Network Security Engineer Hi Johnathan, That is a tough question, and all I could say is that it depends on what you see your role as, and what the company sees your role as. Are you the security auditor and developer of security policy? If you are, then you should NOT have "write" access to the IPS, IDS, Routers, and ASA devices, because then you would be auditing your own work. In that context, you should have "read only" access to these devices, and pass change requests to the Network engineer to make tuning changes. This would enable an adequate level of segregation of duties. However, perhaps you are not the auditor, and you are implementing already established security policy at your company. In that case, you should have "write" authority to these security devices, as the Network Engineer should have primary responsibility of network connectivity, and you should have primary responsibility of security rules. But some further information might be helpful. What was the reason that the Network Engineer gave for denying your access? Was it a segregation of duties argument, or was there something else? Did he deny even read access? Jason Hurst Sr. Network Security Administrator Panda Restaurant Group jason.hurst () pandarg com Please consider the environment before printing this email -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Johnathan Sent: Saturday, January 09, 2010 9:04 AM To: security-basics () securityfocus com Subject: Network Engineer vs. Network Security Engineer Hello List, I am Security Engineer/Analyst at a company who is currently building their security program and have run into a issue on defining a Network Security Engineer's roles and duties versus a Network Engineer (on the LAN/WAN side) and where a line is drawn and what should overlap. This subject came about when I requested access to our Cisco IPS, IDS and ASAs. The senior engineer (who, by the way, is the only person who has full access to all of our Cisco routers, switches, IPS, IDS, ASAs, etc.) within my company fought to disallow my access. We have Cisco MARS implemented, and I am the primary manager of that device and require access to our Cisco security devices (IPS, IDS, etc.) to sufficiently tune and update the appliance. Was I and am I wrong for requesting access and wanting it? Where should the line be drawn as far as duties and roles? Not just for Cisco security devices but on an enterprise wide scale. I would really appreciate any responses to this. Than You. ---- Johnathan Sent via BlackBerry by AT&T ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Network Engineer vs. Network Security Engineer Johnathan (Jan 11)
- RE: Network Engineer vs. Network Security Engineer Jason Hurst (Jan 11)
- RE: Network Engineer vs. Network Security Engineer Michael.Barber (Jan 11)
- Re: Network Engineer vs. Network Security Engineer Lauren Twele (Jan 11)
- RE: Network Engineer vs. Network Security Engineer Uzair Hashmi (Jan 12)
- Best firewall applience Paul.Simons (Jan 13)
- RE: Best firewall applience Emilio Morla (Jan 13)
- RE: Best firewall applience Boyd, Chad (Jan 13)
- RE: Best firewall applience Paul.Simons (Jan 18)
- Re: Best firewall applience Kurt Buff (Jan 19)
- Re: Best firewall applience Ricardo Ferreira (Jan 19)
- Re: Best firewall applience Adam Mooz (Jan 19)
- Re: Best firewall applience Daniel Radetic (Jan 20)
- RE: Network Engineer vs. Network Security Engineer Michael.Barber (Jan 11)
- RE: Network Engineer vs. Network Security Engineer Jason Hurst (Jan 11)
- Re: Best firewall applience Francois Yang (Jan 13)
- RE: Best firewall appliance Andy Cuff (Jan 13)