RE: firewall change request

["Daniel Tran" <daniel.tran () gnofcu com>]

Does anyone have a form that you are willing to share?


Thank you,


Daniel Tran

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Dan Lynch
Sent: Friday, February 17, 2012 10:50 AM
To: security-basics () securityfocus com
Subject: RE: firewall change request


There have been a couple really good, detailed answers to this issue. Do
others on the list have no change controls to speak of? And if you do,
what changes are people allowed to make without a requiring a formal
process of review, approval and documentation? For those with clear
policy guidance, would you be willing to share the details?

For me, our policy says that the change request process is required for
"any change that has a reasonable expectation of impacting customer
service availability". In reality though, we go through the full process
for any and all firewall rule changes, regardless the expected impact on
service availability, like adding a host object to a group, then
installing policy. 

We use a browser-based form in which we specify the changes to be made
and their impact. This must receive the prior approval of at least one
of seven IT supervisors, and at least one higher level IT manager. One
of these supervises the firewall team, the other has authority over IT
for a business unit that might be affected. Neither has more than
rudimentary experience in or knowledge of firewalls or networking. The
other five can sign off the change after the fact.

(In reality, we first request permission to submit the request, from
these same supervisors. The form doesn't get filled out until we've
received their permission do it. We request permission to request
permission to perform a change. The entire process can take up to a
week.)

They then specify when the change can be made. Some changes are made the
same day during business hours, others wait until an after hours window
opens, usually simply after 5:30 pm. In the case of one critical
firewall cluster, there is only one window per month, a Tuesday between
4:00 am and 6:00 am. 



Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your company
and how your customers can tell if a site is secure. You will find out
how to test, purchase, install and use a thawte Digital Certificate on
your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your
encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------


This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify Greater New Orleans Federal 
Credit Union. This message could contain confidential information and is intended only for the individual named. If you 
are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are 
not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on 
the contents of this information is strictly prohibited.  

Email transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, 
lost, destroyed or contain viruses.  GNOFCU therefore does not accept liability for any errors or omissions in the 
contents of this message which arise as a result of email transmission.  If verification is required, please request a 
hard-copy.  



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------