Firewall Wizards mailing list archives
RE: Separate firewall administrator and firewall system administrator
From: "Paul D. Robertson" <proberts () patriot net>
Date: Fri, 14 Jun 2002 20:06:15 -0400 (EDT)
On Fri, 14 Jun 2002, Bill Royds wrote:
That's not a bad idea, since it follows separation of duties principles = and allows experts to be working in their area of expertise.
I think that's an oversimplification that doesn't quite ring true- Seperation of duties is only a good thing when there's a significant advantage to doing so (or no significant disadvantage.) In this particular case, the OS administrators would be running systems that are probably outside their area of expertise (I don't know about you, but I do a pretty different OS install, and follow a different maintenance process and decision tree for firewalls than I do for Web servers or file servers.)
The main caveat is that there needs to be a change management procedure = for any changes n either the firewall configuration or system = configuration so that the both administrators are confident that there = is no conflict that could create risk.
The only way the firewall administrator can be confident is to know enough about the OS management stuff to be able to do it.
Your main concern as security administrator is that changes to OS = configuration could create a vulnerable system holding your firewall. So = you need to be aware of and have control of patches and all services = running on the firewall platform. You don't want your box administrators =
You don't have control of the patches if you're not applying them.
putting in SNMP on the firewall, for example. But if they administrate what you specify, you now have two sets of eyes = looking at things, lowering the risk of misconfiguration.
Admins all have different ways of adminning boxes- and the audit requirements just shot through the roof. The additional complexity seems to me to be a downside. Also, it may be that the firewall/security group currently balances out rogue administrators- but if the admin group can now circumvent the firewall, you've lost an important control point. Also, in a policy-rich environment, the OS admin group may have policies like "PC Anywhere must be on all systems administered by this group," "SNMP monitoring and alerting must be used," and "All servers must participate in the global password sharing and trading scheme." How much focus do you think the OS group's management will give to ensuring that a single set of machines DOESN"T confrm to the "normal" policies? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Separate firewall administrator and firewall system administrator Joe Matusiewicz (Jun 14)
- Re: Separate firewall administrator and firewall system administrator Adam Shostack (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Robert Sim (Jun 16)
- Re: Separate firewall administrator and firewall systemadministrator Mikael Olsson (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Bill Royds (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Ron DuFresne (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Rick Smith at Secure Computing (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Yin To Chu (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Yin To Chu (Jun 16)
- Re: Separate firewall administrator and firewall system administrator David R. Matusiak (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul Alukal (Jun 17)