Educause Security Discussion mailing list archives

Re: Firewall Administration

From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Wed, 8 Jun 2005 13:03:36 -0600

This has definitely been a very politically charged conversation across
academia, government, as well as corporations throughout the world.
With the implementation of new privacy and security regulations,
segregation of duties is more important than ever.  The "Least
Privilege Rule" is definitely applicable to this discussion.  Some in
this discussion thus far have indicated that you have to determine what
works best for your organization.  Unfortunately or perhaps
fortunately, this is true.  When making any decision related to
information security, the risk and rewards of changing whom has access
to elevated privileges must be weighed.  What would your organization
gain by allowing Network Services some access to firewalls?  What
privileges are absolutely necessary in order to gain this reward?  Can
you limit the privs of Network Services so that they can only reboot
servers? (i.e. if this is an after hours issue and there are times when
this ability would help an IT Security person get to sleep through the
night)

Thus far, (in my experience) when this heated political discussion is
raised, for some reason it becomes an "us against them" type of war
between Network Services and IT Security over whom should have access
to what.  It is generally not a pretty war.  ;-)

I suggest that you create a list of what benefits you would hope to
achieve by giving Network Services access to administer the firewall.
In your considerations, carefully ponder exactly what privs must be
given to Network Services in order to achieve these benefits.  (There
are MANY tools available that can greatly limit the amount of access
that you must give to someone to allow limited administration
abilities.)  If you do make a change to your Access Control Lists, make
the SMALLEST change possible to achieve the benefits while still being
able to maintain the security of your firewalls.  Once you make a
change to allow Network Services access to the firewall, this change
will be politically hard to reverse.  Thus, as future legislation moves
down the pipeline towards academia, you may be forced to prove how you
segregate duties.  Be sure to consider this before changing ANY access
control lists.

Best of luck in your decision.  I am definitely interested in seeing
your list of benefits that you hope to achieve by making this change.
It is highly likely that someone on this discussion group may have
other ideas of how you can achieve your goals without compromising the
security of your firewalls.

Sincerely,

Sarah E Stevens
Stevens Technologies, Incorporated

<html>
<body>
<font size=3>At 01:29 PM 6/8/2005, you wrote:<br><br>
</font><blockquote type=cite class=cite cite=""><font face="arial"

size=2>

If you don't mind sharing, who maintains your firewalls - hardware and
operating system, not the firewall software? Currently, our IT

Security

team are the only people with access to our firewalls, but our

networking

group is asking for some rights to maintain the hardware and to be

able

to reboot them. I have mixed feelings about this and wanted to know

how

other organizations handle this. Also, what are some of the pros and

cons

of this?&nbsp; Thanks,</blockquote><br>
This is a very politically charged issue on some campuses (such as
ours).&nbsp; We maintain a centrally-managed peripheral firewall, but
some units prefer to run their own (some colleges, for example, have

very

talented IT guys with a certain amount of distrust of 'central
IT').&nbsp; Additionally, some units (notably Computer Science) want

to

be able to experiment with ports as part of what they do, and would
prefer the ability to manage their own firewalls for that

reason.&nbsp;

We're conducting a study to form a committee to conduct a
study...<br><br>
I'd be interested in other responses, as we've not got very far with
managing this so far.<br><br>
Geoff</font><font size=3> </font></body>
<br>

<body>
<tt>Geoffrey S. Nathan &lt;geoffnathan () wayne edu&gt;<br>
Faculty Liaison, Computing and Information Technology,<br>
<x-tab>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</x-tab>and
Associate Professor of English<br>
Linguistics
Program<x-tab>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</x-tab><x-tab>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</x-tab><x-tab>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</x-tab>Phone
Numbers<br>
Department of
English<x-tab>&nbsp;&nbsp;&nbsp;</x-tab><x-tab>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</x-tab><x-tab>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</x-tab>Computing and
Information Technology:&nbsp; (313) 577-1259<br>
Wayne State
University<x-tab>&nbsp;&nbsp;</x-tab><x-tab>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</x-tab><x-tab>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</x-tab>Linguistics
(English):&nbsp; (313) 577-8621<br>
Detroit, MI, 48202
<x-tab>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</x-tab><x-tab>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</x-tab><x-tab>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</x-tab>C&amp;IT Fax:
(313) 577-1338</body>
</html>

--

Current thread:

Firewall Administration Hart, Lee Anne (Jun 08)
- <Possible follow-ups>
- Re: Firewall Administration Steven Johnson (Jun 08)
- Re: Firewall Administration Cal Frye (Jun 08)
- Re: Firewall Administration Parker, Ben C (Jun 08)
- Re: Firewall Administration Geoff Nathan (Jun 08)
- Re: Firewall Administration Greg Schaffer (Jun 08)
- Re: Firewall Administration Sarah Stevens (Jun 08)
- Re: Firewall Administration Willis Marti (Jun 08)
- Re: Firewall Administration Davis, Thomas R. (Jun 15)