Security Basics mailing list archives

RE: firewall change request

From: Dan Lynch <DLynch () placer ca gov>
Date: Fri, 17 Feb 2012 08:49:30 -0800

There have been a couple really good, detailed answers to this issue. Do others on the list have no change controls to
speak of? And if you do, what changes are people allowed to make without a requiring a formal process of review,
approval and documentation? For those with clear policy guidance, would you be willing to share the details?

For me, our policy says that the change request process is required for "any change that has a reasonable expectation
of impacting customer service availability". In reality though, we go through the full process for any and all firewall
rule changes, regardless the expected impact on service availability, like adding a host object to a group, then
installing policy.

We use a browser-based form in which we specify the changes to be made and their impact. This must receive the prior
approval of at least one of seven IT supervisors, and at least one higher level IT manager. One of these supervises the
firewall team, the other has authority over IT for a business unit that might be affected. Neither has more than
rudimentary experience in or knowledge of firewalls or networking. The other five can sign off the change after the
fact.

(In reality, we first request permission to submit the request, from these same supervisors. The form doesn't get
filled out until we've received their permission do it. We request permission to request permission to perform a
change. The entire process can take up to a week.)

They then specify when the change can be made. Some changes are made the same day during business hours, others wait
until an after hours window opens, usually simply after 5:30 pm. In the case of one critical firewall cluster, there is
only one window per month, a Tuesday between 4:00 am and 6:00 am.

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

firewall change request marck e. (Feb 08)
- RE: firewall change request Bahrs, Art (Feb 09)
- RE: firewall change request Dan Lynch (Feb 20)
  - RE: firewall change request Daniel Tran (Feb 20)
- <Possible follow-ups>
- Re: firewall change request kartik . netsec (Feb 08)
- Re: firewall change request wraith (Feb 12)
- Re: RE: firewall change request kartik . netsec (Feb 21)