Re: Security Approval Process

[<securityfocus () not4not mailshell com>]

I agree with John about centralization of the function, because any change to the firewall(s) and other edge elements 
(external routers and switches as well as remote access or vpn solutions) of corporate security should be a defined 
(written) process of request and confirmation.  Centralization does not mean simply one location, but a part of your 
organization.

Centralization, as John correctly noted, should decrease the probability of a misconfiguration of certain parts of the 
solution (i.e, firewall, router, etc), but sometimes middleware or other software can comprise security.  I have seen 
very badly configured firewalls, not due to the security engineer implement a request correctly, but because internal 
developers or network engineers did not understand the full ramifications of what they were requesting.  NATing is a 
particular function that compromises many solutions.

I suggest that you have firewall rules and the configurations of DMZ routers and equipment printed and reviewed as part 
of the security function.  It is all a part of your corporate security policy.

RAR  

> From "JohnNicholson () aol com" <JohnNicholson () aol com> on 26 Mar 2003:

> Debbie -
>
> Regardless of whether anyone else does it, I'd say you've got a pretty
> good situation as long as it doesn't overwhelm you.
>
> Centralizing a function like that decreases the likelihood that some
> random person is going to misconfigure something and open a hole in your
> firewall, or that some tech is going to open a hole at the insistance of
> a business person.
>
> John
>
>
> In a message dated 3/25/2003 6:10:11 PM Eastern Standard Time, "Debbie
> Torri" <debbietorri () eudoramail com> writes:
>
> > Hi, 
> >
> > I currently approve of all production changes to our firewalls
> (internet and dmz) and also approve all VPN request for for external
> companies that want access into our network. We have 12 firewalls and
> about 700 production servers (Unix and Windows).  
> > This is my question: Do you do this as part of your job?  I have no
> clue if this a normal task done by other security professionals. What
> are the pro's and con's of doing this. 
> > ---
> > Debbie Torri CISSP
> > Norwest Industries
> > Denver, Colorado
> > ---
> > Debbie Torri CISSP
> > Norwest Industries
> > Denver, Colorado
> >
> >
> > Need a new email address that people can remember
> > Check out the new EudoraMail at
> > http://www.eudoramail.com
> >
> > -------------------------------------------------------------------
> > SurfControl E-mail Filter puts the brakes on spam,
> > viruses and malicious code. Safeguard your business
> > critical communications. Download a free 30-day trial:
> > http://www.surfcontrol.com/go/zsfsbl1
>
> -------------------------------------------------------------------
> SurfControl E-mail Filter puts the brakes on spam,
> viruses and malicious code. Safeguard your business
> critical communications. Download a free 30-day trial:
> http://www.surfcontrol.com/go/zsfsbl1
>
>
>
> ---------- Your email is protected by Mailshell ---------- 
> To block spam or change delivery options:
> http://www.mailshell.com/control.html?a=bswpx_yttm47lsrqhmoekpramqsbgnakrvqtkoq02l
>
> ReturnPath.net http://rd.mailshell.com/ad481
> Earn up to $3 for each of your friends who signs up with Mailshell!
> http://rd.mailshell.com/sp5


_______________________________________________________
The FREE service that prevents junk email http://www.mailshell.com

-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.surfcontrol.com/go/zsfsbl1