Security Basics mailing list archives

Re: Network Engineer vs. Network Security Engineer

From: "Johnathan" <martinez85 () att blackberry net>
Date: Tue, 12 Jan 2010 04:27:05 +0000

Thank you all for your feedback. Sorry for the late response all, I wanted to wait until a decent amount of responses 
came in so that I could respond at once .I see my self a security professional who dabbles in a little of everything. 
As I stated before, our program is really just getting started and there are only two of us within security on the 
internal side of security. How the company sees my role is a little difficult to answer because my job description 
really hasn’t been defined and it’s most likely going to come down to my department (myself and the ISO) to come up 
with a description. We have an internal audit department within our company who hands off a lot of tasks to our 
department, which we are trying to cut very fast. We are currently in the last stages in the development of our 
policies and procedures. I’m not, per se, directly involved in the development, but have contributed help to get us to 
where are at today. The funny thing is that I gave the Senior Network Engineer a heads up that I needed access. He told 
me that he would need our Director’s approval before he could grant such access, which is currently our procedure. My 
department actually spoke with him prior to formal request access, and he was fine with this level of access. I 
received the formal approval from the Director, and once the engineer saw that, he went to him behind my department's 
back said something that made the Director change his mind. It is still unknown to what the engineer said to the 
director to make him change his mind. Read access was granted, at the very most. My company isn’t very large in it’s 
user base, about 5,000 employees, but we are a publicly traded global company and our network is about the equivalent 
to other large scale enterprises. As I stated earlier, my role hasn’t been clearly defined. Everyone seems to have a 
valid argument. On one side, if I am developing and implementing policies and procedures, I have no business make any 
type of changes. On the flip side, if there were clearly defined roles within my security department, I could 
essentially manage the aforementioned security devices. Here’s the thing, and why I have become upset about all of 
this. I am very interested in Cisco Security and have already perused the Cisco Security route. What’s the point of 
Cisco having a security track if I can’t do anything with our Cisco Security Devices? 

btw, we do have an identity management system in place.

----
Johnathan

Sent via BlackBerry by AT&T

-----Original Message-----
From: Lauren Twele <ltwele () symplified com>
Date: Mon, 11 Jan 2010 15:22:02 
To: <Michael.Barber () wellsfargo com>; <martinez85 () att blackberry net>; <security-basics () securityfocus com>
Subject: Re: Network Engineer vs. Network Security Engineer

Are you using an identity management product of any sort to set rules and
policies and to monitor audit logs? IDM products also assist with
provisioning and de-provisioning of employees.


On 1/11/10 12:31 PM, "Michael.Barber () wellsfargo com"
<Michael.Barber () wellsfargo com> wrote:

My 0.02 on the topic.

First.  Any single point of failure.. such as only one person with access to
the systems is poor policy and/or management.  Who audits the actions of the
sole access individual?

After that, job roles and definitions have some guidelines.. but, this sounds
like more of an internal politics fight.  Turf wars are great.

A discussion and review on separation of duties would seem appropriate.
http://www.sans.edu/resources/securitylab/it_separation_duties.php


Good luck.


Thanks,
Mike Barber
Security Analyst
PowerBroker, VAS and UnixSecure Support
IST - Unix/QA Infrastructure Services (Charlotte)
o. (704) 427-0512
m. (704) 607-8879
Charlotte, NC




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Jason Hurst
Sent: Monday, January 11, 2010 10:45 AM
To: martinez85 () att blackberry net; security-basics () securityfocus com
Subject: RE: Network Engineer vs. Network Security Engineer

Hi Johnathan,

That is a tough question, and all I could say is that it depends on what you
see your role as, and what the company sees your role as.

Are you the security auditor and developer of security policy? If you are,
then you should NOT have "write" access to the IPS, IDS, Routers, and ASA
devices, because then you would be auditing your own work. In that context,
you should have "read only" access to these devices, and pass change requests
to the Network engineer to make tuning changes. This would enable an adequate
level of segregation of duties.

However, perhaps you are not the auditor, and you are implementing already
established security policy at your company. In that case, you should have
"write" authority to these security devices, as the Network Engineer should
have primary responsibility of network connectivity, and you should have
primary responsibility of security rules.

But some further information might be helpful. What was the reason that the
Network Engineer gave for denying your access? Was it a segregation of duties
argument, or was there something else? Did he deny even read access?
 
Jason Hurst
Sr. Network Security Administrator
Panda Restaurant Group
jason.hurst () pandarg com
Please consider the environment before printing this email

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Johnathan
Sent: Saturday, January 09, 2010 9:04 AM
To: security-basics () securityfocus com
Subject: Network Engineer vs. Network Security Engineer

Hello List,

I am Security Engineer/Analyst at a company who is currently building their
security program and have run into a issue on defining a Network Security
Engineer's roles and duties versus a Network Engineer (on the LAN/WAN side)
and where a line is drawn and what should overlap.

This subject came about when I requested access to our Cisco IPS, IDS and
ASAs. The senior engineer (who, by the way, is the only person who has full
access to all of our Cisco routers, switches, IPS, IDS, ASAs, etc.) within my
company fought to disallow my access.

We have Cisco MARS implemented, and I am the primary manager of that device
and require access to our Cisco security devices (IPS, IDS, etc.) to
sufficiently tune and update the appliance.

Was I and am I wrong for requesting access and wanting it? Where should the
line be drawn as far as duties and roles? Not just for Cisco security devices
but on an enterprise wide scale.

I would really appreciate any responses to this.

Than You. 

----
Johnathan

Sent via BlackBerry by AT&T

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Re: Best firewall applience, (continued)
- - - Re: Best firewall applience Francois Yang (Jan 13)
    - RE: Best firewall appliance Andy Cuff (Jan 13)
    - Re: Best firewall applience Charlie Clark (Jan 13)
    - Re: Best firewall applience Chris Brenton (Jan 18)
    - RE: Best firewall applience Scott Race (Jan 19)
    - Re: Best firewall applience Jeremy Nenadal (Jan 13)
    - Re: Best firewall applience David Gadoury (Jan 13)
    - Re: Best firewall applience Asaf Maruf (Jan 13)
    - RE: Best firewall applience Quark Group - Hilton Travis (Jan 13)
    - Re: Best firewall applience Stephen Mullins (Jan 18)
    - Re: Network Engineer vs. Network Security Engineer Johnathan (Jan 12)
- RE: Network Engineer vs. Network Security Engineer (UNCLASSIFIED) Natividad, Victor E Mr CTR USA (Jan 11)
- Re: Network Engineer vs. Network Security Engineer gig (Jan 11)
- Re: Network Engineer vs. Network Security Engineer ron (Jan 12)