Firewall Wizards mailing list archives
Re: Separate firewall administrator and firewall system administrator
From: Rick Smith at Secure Computing <rick_smith () securecomputing com>
Date: Fri, 14 Jun 2002 14:15:56 -0500
At 10:57 AM 6/14/2002, Joe Matusiewicz wrote:
Greetings, Management came up with this new proposal. Our firewalls should now have the operating system managed by the system administration group. The current firewall administrators should only handle the firewall software. I never heard of this before.
This is an irresistible idea from a management perspective (potential to reduce head count plus expanding someone's IS empire), but from a security perspective it rates as a Really Bad Idea. Thus, I predict that this new policy will eventually take effect. The dilemma for the firewall administrator is that someday this will prevent the administrator from adequately locking down the firewall from attack. At some point the OS administrators will start treating the firewall is just another device to configure, and make it look the same as the site's desktop machines. Even if things don't start out that way, it's tough to ensure that the situation doesn't arise as the staff changes. I don't like the way this policy dilutes responsibility for the firewall's integrity. The policy makes it much more likely that the firewall will weaken over time. When/if security breaches occur, the firewall admin and OS admin can avoid blame by pointing fingers at each other. Their respective bosses will probably back them up, which turns the incident into a political flap that protects everyone's job and absorbs management attention without improving site security. The only solution is to plan on moving to firewall appliances or to firewalls containing an integrated OS. Such devices would be the sole responsibility of the firewall team. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Separate firewall administrator and firewall system administrator Joe Matusiewicz (Jun 14)
- Re: Separate firewall administrator and firewall system administrator Adam Shostack (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Robert Sim (Jun 16)
- Re: Separate firewall administrator and firewall systemadministrator Mikael Olsson (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Bill Royds (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Ron DuFresne (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Rick Smith at Secure Computing (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Yin To Chu (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Yin To Chu (Jun 16)
- Re: Separate firewall administrator and firewall system administrator David R. Matusiak (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul Alukal (Jun 17)