Educause Security Discussion mailing list archives
Re: Firewall Administration
From: Greg Schaffer <schaffer () MTSU EDU>
Date: Wed, 8 Jun 2005 13:51:58 -0500
Our original campus firewall was installed more to protect the network from disruptive events (DOS, etc) than to provide server and data security (although the latter was an importatnt feature). This grew out of using ACL's for essentially the same purposes. Now that this has grown into a system of enterprise firewalls, administrative duties still resides in Network Services, although is in the process of being transitioned to the IT Security group. Which is not a problem, because the IT Security group is a subset of Network Services. But we quickly, consistently, and often point out that we enforce policy, not create it. To perform scans, ID, etc, security groups have to have complete and overall access to all components of the network, almost by definition. Conversely, firewalls are, essentially, network devices at the core (usually routers). They participate in route updates, route multicast, etc. The network folks have to manage that. Now, I can see where the security groups manage the firewall software itself (ruleseroup, etc) while the network group manages the hardware, OS, and connections; that's really the best way to do it if security and network groups are separate. Remember what firewalls do: they break network connections. And who is responsible for network operation? Greg Schaffer Director, Network Services Middle Tennessee State University Geoff Nathan wrote:
At 01:29 PM 6/8/2005, you wrote:If you don't mind sharing, who maintains your firewalls - hardware and operating system, not the firewall software? Currently, our IT Security team are the only people with access to our firewalls, but our networking group is asking for some rights to maintain the hardware and to be able to reboot them. I have mixed feelings about this and wanted to know how other organizations handle this. Also, what are some of the pros and cons of this? Thanks,This is a very politically charged issue on some campuses (such as ours). We maintain a centrally-managed peripheral firewall, but some units prefer to run their own (some colleges, for example, have very talented IT guys with a certain amount of distrust of 'central IT'). Additionally, some units (notably Computer Science) want to be able to experiment with ports as part of what they do, and would prefer the ability to manage their own firewalls for that reason. We're conducting a study to form a committee to conduct a study... I'd be interested in other responses, as we've not got very far with managing this so far. Geoff Geoffrey S. Nathan <geoffnathan () wayne edu> Faculty Liaison, Computing and Information Technology, and Associate Professor of English Linguistics Program Phone Numbers Department of English Computing and Information Technology: (313) 577-1259 Wayne State University Linguistics (English): (313) 577-8621 Detroit, MI, 48202 C&IT Fax: (313) 577-1338
Current thread:
- Firewall Administration Hart, Lee Anne (Jun 08)
- <Possible follow-ups>
- Re: Firewall Administration Steven Johnson (Jun 08)
- Re: Firewall Administration Cal Frye (Jun 08)
- Re: Firewall Administration Parker, Ben C (Jun 08)
- Re: Firewall Administration Geoff Nathan (Jun 08)
- Re: Firewall Administration Greg Schaffer (Jun 08)
- Re: Firewall Administration Sarah Stevens (Jun 08)
- Re: Firewall Administration Willis Marti (Jun 08)
- Re: Firewall Administration Davis, Thomas R. (Jun 15)