RE: Re: Air Gaps vs. Firewalls

[Rick Smith <rick_smith () securecomputing com>]

At 11:57 AM 10/4/00, Ryan Russell wrote:

> Where something like this would really be fun is in a situation where the
> firewall admin/security officers/whatever is supposed to approve new web
> apps.  This would actually give them a way to enforce the policy.

Putting the security admin "in the loop" for approving new apps will 
increase the admin's backlog of things to do, and such people are usually 
part time, or overworked, or both, already.

In addition, many companies are treating web sites like performances as 
opposed to engineering artifacts: they're intended to engage visitors and 
keep them interested. This requires "freshness" that comes from continuous 
changes.

We need to provide the best security we can without making it take "too 
long" to revise the site.

One approach is to establish some parameters for "easy" versus "hard" 
changes to the site. Easy changes they do themselves and the changes "just 
work." Hard changes take longer and involve the security staff.

> I used to have a problem at a previous job with systems administrators
> attaching new machines to the DMZ, thinking they were going to go
> live.  They could get an address, and figure out which port to plug into
> on the switch, but they got nowhere until I changed the firewall
> config. (After completeing the lockdown/review process that was supposed
> to happen before they got that far, of course.)

That might be an example: modifying pages might be an "easy" change that 
doesn't involve the security folks, but they can't install new machines 
unless security gets involved.

Rick.
smith () securecomputing com


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards