Firewall Wizards mailing list archives

Re: firewall rule lifecycle management

From: Christoph Haas <email () christoph-haas de>
Date: Wed, 31 Aug 2005 14:29:54 +0200

Hi, Michael...

On Tue, Aug 30, 2005 at 10:25:02AM -0500, Michael Cox wrote:

Question: What do those of you in large environments do to manage your 
rulesets in terms of removing access that is no longer required? We get 
lots of requests to add access, but are almost never told when 
something can be removed. This is a large corporation with lots of 
subcontractors, B2B, etc., and we're looking for ideas on how others 
get a handle on this (or does anybody?).


"We" are also a large company (50,000 employees, worldwide subsidiaries).
There is a form on dead trees that we want to have signed before we
grant any access/change any firewall rule. This is to make sure most
people switch on their brains before they want anything. And by signing
the form they become responsible for the machines in question in case
they get hacked.

That very form contains an expiry date. New accesses are only allowed up
to a duration of one year. Many accesses are only needed for a test so
they are activated for a week or a month. Since we have a counter on
every form we can more or less easily "expire" them by looking through
old ones. The comment field in our firewall rules corresponds to the
numers on the forms.

I'm currently working on digital forms so that the users can extend that
period. If they don't react we will get an information that the rule can
be deleted. (Sorry, this isn't open-source since the company is paying
me to do it.)

In addition we have an internal revision department that checks our
rulebase every now and then. Although I have to be honest... they don't
understand every detail. And neither do we. Often the administrators of
the servers do not even know what they do. But that's where theory
differs from reality. :)

This may not be the greatest solution. But it works for us so far.

Regards
 Christoph
-- 
~
~
~
".signature" [Modified] 3 lines --100%--                3,41         All
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

firewall rule lifecycle management Michael Cox (Aug 30)
- RE: firewall rule lifecycle management Bruce Smith (Aug 31)
  - Re: firewall rule lifecycle management Martin (Aug 31)
    - Re: firewall rule lifecycle management Victor Williams (Aug 31)
- Re: firewall rule lifecycle management Skip Carter (Aug 31)
- Re: firewall rule lifecycle management Joe Matusiewicz (Aug 31)
- Re: firewall rule lifecycle management Kevin (Aug 31)
- Re: firewall rule lifecycle management Christoph Haas (Aug 31)
- <Possible follow-ups>
- Fwd: firewall rule lifecycle management Brenno Hiemstra (Aug 31)