Educause Security Discussion mailing list archives
Re: Firewall Administration
From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Wed, 8 Jun 2005 13:03:36 -0600
This has definitely been a very politically charged conversation across academia, government, as well as corporations throughout the world. With the implementation of new privacy and security regulations, segregation of duties is more important than ever. The "Least Privilege Rule" is definitely applicable to this discussion. Some in this discussion thus far have indicated that you have to determine what works best for your organization. Unfortunately or perhaps fortunately, this is true. When making any decision related to information security, the risk and rewards of changing whom has access to elevated privileges must be weighed. What would your organization gain by allowing Network Services some access to firewalls? What privileges are absolutely necessary in order to gain this reward? Can you limit the privs of Network Services so that they can only reboot servers? (i.e. if this is an after hours issue and there are times when this ability would help an IT Security person get to sleep through the night) Thus far, (in my experience) when this heated political discussion is raised, for some reason it becomes an "us against them" type of war between Network Services and IT Security over whom should have access to what. It is generally not a pretty war. ;-) I suggest that you create a list of what benefits you would hope to achieve by giving Network Services access to administer the firewall. In your considerations, carefully ponder exactly what privs must be given to Network Services in order to achieve these benefits. (There are MANY tools available that can greatly limit the amount of access that you must give to someone to allow limited administration abilities.) If you do make a change to your Access Control Lists, make the SMALLEST change possible to achieve the benefits while still being able to maintain the security of your firewalls. Once you make a change to allow Network Services access to the firewall, this change will be politically hard to reverse. Thus, as future legislation moves down the pipeline towards academia, you may be forced to prove how you segregate duties. Be sure to consider this before changing ANY access control lists. Best of luck in your decision. I am definitely interested in seeing your list of benefits that you hope to achieve by making this change. It is highly likely that someone on this discussion group may have other ideas of how you can achieve your goals without compromising the security of your firewalls. Sincerely, Sarah E Stevens Stevens Technologies, Incorporated
<html> <body> <font size=3>At 01:29 PM 6/8/2005, you wrote:<br><br> </font><blockquote type=cite class=cite cite=""><font face="arial"
size=2>
If you don't mind sharing, who maintains your firewalls - hardware and operating system, not the firewall software? Currently, our IT
Security
team are the only people with access to our firewalls, but our
networking
group is asking for some rights to maintain the hardware and to be
able
to reboot them. I have mixed feelings about this and wanted to know
how
other organizations handle this. Also, what are some of the pros and
cons
of this? Thanks,</blockquote><br> This is a very politically charged issue on some campuses (such as ours). We maintain a centrally-managed peripheral firewall, but some units prefer to run their own (some colleges, for example, have
very
talented IT guys with a certain amount of distrust of 'central IT'). Additionally, some units (notably Computer Science) want
to
be able to experiment with ports as part of what they do, and would prefer the ability to manage their own firewalls for that
reason.
We're conducting a study to form a committee to conduct a study...<br><br> I'd be interested in other responses, as we've not got very far with managing this so far.<br><br> Geoff</font><font size=3> </font></body> <br> <body> <tt>Geoffrey S. Nathan <geoffnathan () wayne edu><br> Faculty Liaison, Computing and Information Technology,<br> <x-tab> </x-tab>and Associate Professor of English<br> Linguistics Program<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>Phone Numbers<br> Department of English<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>Computing and Information Technology: (313) 577-1259<br> Wayne State University<x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>Linguistics (English): (313) 577-8621<br> Detroit, MI, 48202 <x-tab> </x-tab><x-tab> </x-tab><x-tab> </x-tab>C&IT Fax: (313) 577-1338</body> </html>
--
Current thread:
- Firewall Administration Hart, Lee Anne (Jun 08)
- <Possible follow-ups>
- Re: Firewall Administration Steven Johnson (Jun 08)
- Re: Firewall Administration Cal Frye (Jun 08)
- Re: Firewall Administration Parker, Ben C (Jun 08)
- Re: Firewall Administration Geoff Nathan (Jun 08)
- Re: Firewall Administration Greg Schaffer (Jun 08)
- Re: Firewall Administration Sarah Stevens (Jun 08)
- Re: Firewall Administration Willis Marti (Jun 08)
- Re: Firewall Administration Davis, Thomas R. (Jun 15)