Re: Separate firewall administrator and firewall system administrator

[Rick Smith at Secure Computing <rick_smith () securecomputing com>]

At 10:57 AM 6/14/2002, Joe Matusiewicz wrote:
> Greetings,
>
> Management came up with this new proposal.  Our firewalls should now have the operating system managed by the system 
> administration group.  The current firewall administrators should only handle the firewall software.  I never heard of 
> this before. 

This is an irresistible idea from a management perspective (potential to reduce head count plus expanding someone's IS 
empire), but from a security perspective it rates as a Really Bad Idea. Thus, I predict that this new policy will 
eventually take effect.

The dilemma for the firewall administrator is that someday this will prevent the administrator from adequately locking 
down the firewall from attack. At some point the OS administrators will start treating the firewall is just another 
device to configure, and make it look the same as the site's desktop machines. Even if things don't start out that way, 
it's tough to ensure that the situation doesn't arise as the staff changes.

I don't like the way this policy dilutes responsibility for the firewall's integrity. The policy makes it much more 
likely that the firewall will weaken over time. When/if security breaches occur, the firewall admin and OS admin can 
avoid blame by pointing fingers at each other. Their respective bosses will probably back them up, which turns the 
incident into a political flap that protects everyone's job and absorbs management attention without improving site 
security.

The only solution is to plan on moving to firewall appliances or to firewalls containing an integrated OS. Such devices 
would be the sole responsibility of the firewall team. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards