RE: firewall change request

["Bahrs, Art" <Arthur.Bahrs () providence org>]

I bounced this idea off our Firewall Team and here is a response from one of our best...

My opinion (after creating several firewall change processes),

There are really four critical role components of the change process:
1. the requester
2. the implementer (tech)
3. the business approver
4. the service approver

In small shops, it isn't unheard of for the implementer and service approver to be the same person. They are usually 
the one with the most security experience or technical experience.

However, each of these roles should have a clear policy to guide them in their decision making.
The requester and implementer probably have it the easiest as their guides are the technology requirements and 
processes. The business approver will (in the absence of a formal policy) make decisions based on cost, time and 
ability to provide products or services with or without the change. Then we have the service approver.

The service approver or risk acceptance role has the largest decision in the process as they must make the 
determination to increase the risk to the business by opening up potential attack vectors. Burying the C-level with the 
typical volume of firewall changes doesn't do anyone much good, but allowing the techs to decide may overlook some of 
the risk acceptance decisions of the business leadership. And here is your conundrum.

We chose to look at the ability to operationalize as much as possible by defining a clear policy about what (in general 
to the firewall) acceptable risk would be for firewall changes and then allowed the Infosec team to approve based on 
those general policy considerations. Something along the lines of "adhere to NIST firewall guidelines for service port 
rules". Anything that is rejected by the base policy or critical in nature can then be submitted to the CISO for unique 
arbitration and approval decisions.

This cut our response time for firewall changes and minimized the volume of requests that needed to go to our ISOs. 
They still make major policy decisions, but if they say it is acceptable risk to allow (for business purposes) RDP 
outbound to specific hosts from specific users/roles, then the Infosec team can act on that decision going forward.

This was our solution to give the powers and ability to act to the appropriate roles.  Why should a C-level need to 
decide every RDP request? They shouldn't. They should get the first request (that isn't addressed by the general 
guidance), cooperate with the Infosec team to generalize the decision and allow the Infosec team to process RDP 
requests in the future along those policies (until something comes along that necessitates the review of the policy).

Again, it is my opinion that unnecessarily burdening an operational process with strategic decision making is better 
than nothing, but just barely. Keep the strategic decision makers at the "helm" so to speak to set policy, but get them 
out of the transactional operational processes that require consistent and continual decision making that should be 
based on a policy.

And just to clarify, I'm using the term policy in this response as a generalized term for management or leadership 
guidance. A piece of paper with signatures and definitions is great, but the real policy in these cases is the guidance 
and prior decisions from strategic leadership.

Thanks
Art

Art Bahrs, CISSP
Security Engineer (Oregon Region)
(503) 216-2722

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of marck e.
Sent: Wednesday, February 08, 2012 10:35 AM
To: security-basics () securityfocus com
Subject: firewall change request

I'm reviewing firewall change management procedure for our
organization.Infosec Dpt. shift which is small org unit , doesn't
cover full business hours in part because they don't operate IT
infrastructure.
We are struggling on the part of who should decide to approve or not
to approve the change requests.
Should be CISO or any of the two persons in Infosec Dpt.? Should CISO
read every firewall request and approve it?
Should Infosec Dpt. have its own operational area and create an
Securty Access Manager or something like that? Given that case, this
new function would review firewall and other type of authorization
change request
If Infosec Dpt. is not allowed to grow,who should be approver?

Thanks

M.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



This message is intended for the sole use of the addressee, and may contain information that is privileged, 
confidential and exempt from disclosure under applicable law. If you are not the addressee you are hereby notified that 
you may not use, copy, disclose, or distribute to anyone the message or any information contained in the message. If 
you have received this message in error, please immediately advise the sender by reply email and delete this message.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------