RE: Separate firewall administrator and firewall system administrator

["Paul D. Robertson" <proberts () patriot net>]

On Fri, 14 Jun 2002, Bill Royds wrote:

> That's not a bad idea, since it follows separation of duties principles =
> and allows experts to be working in their area of expertise.

I think that's an oversimplification that doesn't quite ring true-

Seperation of duties is only a good thing when there's a significant 
advantage to doing so (or no significant disadvantage.)

In this particular case, the OS administrators would be running systems 
that are probably outside their area of expertise (I don't know about you, 
but I do a pretty different OS install, and follow a different maintenance 
process and decision tree for firewalls than I do for Web servers or file 
servers.)

>  The main caveat is that there needs to be a change management procedure =
> for any changes n either the firewall configuration or system =
> configuration so that the both administrators are confident that there =
> is no conflict that could create risk.

The only way the firewall administrator can be confident is to know enough 
about the OS management stuff to be able to do it.

>  Your main concern as security administrator is that changes to OS =
> configuration could create a vulnerable system holding your firewall. So =
> you need to be aware of  and have control of patches and all services =
> running on the firewall platform. You don't want your box administrators =

You don't have control of the patches if you're not applying them.

> putting in SNMP on the firewall, for example.
> But if they administrate what you specify, you now have two sets of eyes =
> looking at things, lowering the risk of misconfiguration.

Admins all have different ways of adminning boxes- and the audit 
requirements just shot through the roof.  The additional complexity seems 
to me to be a downside.

Also, it may be that the firewall/security group currently balances out 
rogue administrators- but if the admin group can now circumvent the 
firewall, you've lost an important control point.

Also, in a policy-rich environment, the OS admin group may have policies 
like "PC Anywhere must be on all systems administered by this group," 
"SNMP monitoring and alerting must be used," and "All servers must 
participate in the global password sharing and trading scheme."  How much 
focus do you think the OS group's management will give to ensuring that a 
single set of machines DOESN"T confrm to the "normal" policies?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards