Re: Firewall Administration

[Greg Schaffer <schaffer () MTSU EDU>]

Our original campus firewall was installed more to protect the network
from disruptive events (DOS, etc) than to provide server and data
security (although the latter was an importatnt feature).  This grew out
of using ACL's for essentially the same purposes.  Now that this has
grown into a system of enterprise firewalls, administrative duties still
resides in Network Services, although is in the process of being
transitioned to the IT Security group.  Which is not a problem, because
the IT Security group is a subset of Network Services.  But we quickly,
consistently, and often point out that we enforce policy, not create it.

To perform scans, ID, etc, security groups have to have complete and
overall access to all components of the network, almost by definition.
Conversely, firewalls are, essentially, network devices at the core
(usually routers).  They participate in route updates, route multicast,
etc.  The network folks have to manage that.  Now, I can see where the
security groups manage the firewall software itself (ruleseroup, etc)
while the network group manages the hardware, OS, and connections;
that's really the best way to do it if security and network groups are
separate.

Remember what firewalls do: they break network connections.  And who is
responsible for network operation?

Greg Schaffer
Director, Network Services
Middle Tennessee State University
Geoff Nathan wrote:

> At 01:29 PM 6/8/2005, you wrote:
>
> > If you don't mind sharing, who maintains your firewalls - hardware
> > and operating system, not the firewall software? Currently, our IT
> > Security team are the only people with access to our firewalls, but
> > our networking group is asking for some rights to maintain the
> > hardware and to be able to reboot them. I have mixed feelings about
> > this and wanted to know how other organizations handle this. Also,
> > what are some of the pros and cons of this?  Thanks,
>
>
> This is a very politically charged issue on some campuses (such as
> ours).  We maintain a centrally-managed peripheral firewall, but some
> units prefer to run their own (some colleges, for example, have very
> talented IT guys with a certain amount of distrust of 'central IT').
> Additionally, some units (notably Computer Science) want to be able to
> experiment with ports as part of what they do, and would prefer the
> ability to manage their own firewalls for that reason.  We're
> conducting a study to form a committee to conduct a study...
>
> I'd be interested in other responses, as we've not got very far with
> managing this so far.
>
> Geoff
> Geoffrey S. Nathan <geoffnathan () wayne edu>
> Faculty Liaison, Computing and Information Technology,
>         and Associate Professor of English
> Linguistics Program                       Phone Numbers
> Department of English                     Computing and Information
> Technology:  (313) 577-1259
> Wayne State University                    Linguistics (English):
> (313) 577-8621
> Detroit, MI, 48202                        C&IT Fax: (313) 577-1338