Security Basics mailing list archives

Re: RE: firewall change request

From: kartik.netsec () gmail com
Date: Tue, 21 Feb 2012 05:21:35 GMT

Hi, we also use browser based form (in fact a ticketing tool) in which we specify what all changes needs to be made.
For Firewall related forms we have MANDATORY fields like source, destination, Ports, Protocol, If the change is
temporary or permanent (if temp, specify end date), Impact and Business justification of the change. There is also a
field which asks for date/ time of the change. However, the changes are made only twice a week.

In our scenario,

Example 1:- say Unix team requires some ports to be opened on firewall, the change requester opens a request in the
tool. The request first goes to the MANAGER/ Lead of Unix team for the approval. Then, the request goes to Firewall Mgt
Lead/ Manager to see the technical stuffs in the request. If he approves, the request finally goes to IT Security
department wherein CISO approves the change.

Example 2:- Windows team needs to build a server (say physical). They have to build it offline, as they are not
provided with the IP address by Network team without going through a change control process. Once they get the IP
address, the server is put in an isolated segment (say DEV/ QA) until security tools (AV/ HIPS/ Sec mgt tools etc) and
all the relevant patches are installed on them. The server is checked against the hardening policy by Server Admin, and
then it is scanned against the security tool in order to check if the server complies with the security policy. Once,
all is OK, a form is signed by Server admin, security admin who ran the scanning tool and IT Security. Then only the
server is put in Prod network.

The changes with higher impact are first discussed in Change Advisory Board.

There are absolutely no changes that people can make without going through the change management framework.

Thanks,
Kartik, CISSP, CISM

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

firewall change request marck e. (Feb 08)
- RE: firewall change request Bahrs, Art (Feb 09)
- RE: firewall change request Dan Lynch (Feb 20)
  - RE: firewall change request Daniel Tran (Feb 20)
- <Possible follow-ups>
- Re: firewall change request kartik . netsec (Feb 08)
- Re: firewall change request wraith (Feb 12)
- Re: RE: firewall change request kartik . netsec (Feb 21)