Firewall Wizards mailing list archives
Re: firewall rule lifecycle management
From: Christoph Haas <email () christoph-haas de>
Date: Wed, 31 Aug 2005 14:29:54 +0200
Hi, Michael... On Tue, Aug 30, 2005 at 10:25:02AM -0500, Michael Cox wrote:
Question: What do those of you in large environments do to manage your rulesets in terms of removing access that is no longer required? We get lots of requests to add access, but are almost never told when something can be removed. This is a large corporation with lots of subcontractors, B2B, etc., and we're looking for ideas on how others get a handle on this (or does anybody?).
"We" are also a large company (50,000 employees, worldwide subsidiaries). There is a form on dead trees that we want to have signed before we grant any access/change any firewall rule. This is to make sure most people switch on their brains before they want anything. And by signing the form they become responsible for the machines in question in case they get hacked. That very form contains an expiry date. New accesses are only allowed up to a duration of one year. Many accesses are only needed for a test so they are activated for a week or a month. Since we have a counter on every form we can more or less easily "expire" them by looking through old ones. The comment field in our firewall rules corresponds to the numers on the forms. I'm currently working on digital forms so that the users can extend that period. If they don't react we will get an information that the rule can be deleted. (Sorry, this isn't open-source since the company is paying me to do it.) In addition we have an internal revision department that checks our rulebase every now and then. Although I have to be honest... they don't understand every detail. And neither do we. Often the administrators of the servers do not even know what they do. But that's where theory differs from reality. :) This may not be the greatest solution. But it works for us so far. Regards Christoph -- ~ ~ ~ ".signature" [Modified] 3 lines --100%-- 3,41 All _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- firewall rule lifecycle management Michael Cox (Aug 30)
- RE: firewall rule lifecycle management Bruce Smith (Aug 31)
- Re: firewall rule lifecycle management Martin (Aug 31)
- Re: firewall rule lifecycle management Victor Williams (Aug 31)
- Re: firewall rule lifecycle management Martin (Aug 31)
- Re: firewall rule lifecycle management Skip Carter (Aug 31)
- Re: firewall rule lifecycle management Joe Matusiewicz (Aug 31)
- Re: firewall rule lifecycle management Kevin (Aug 31)
- Re: firewall rule lifecycle management Christoph Haas (Aug 31)
- <Possible follow-ups>
- Fwd: firewall rule lifecycle management Brenno Hiemstra (Aug 31)
- RE: firewall rule lifecycle management Bruce Smith (Aug 31)