Re: Firewalls and IS Network bodies

[chuck yerkes <Chuck () yerkes com>]

It is claimed, but unverified, that Mike van der Walt wrote:
> I am trying to convince my management why a security environment should
> retain the firewall administration.  They believe that the function
> should be handed to the networking department.
>
> What are your reasons/feelings either way?  Should I agree with them or
> should I continue to fight the good fight?

Wow, 6 lines of content, 100 lines of S/MIME signature.  For a
list.  Is this effective use of bandwidth?

This is difficult to answer. It's an artificial boundary in the
first place.  I was recently offering to a cohort that some
routers on their network could do NTP broadcasts. It wasn't going
happen because the network group didn't do host infrastructure.

Well, the firewall (essentially) passes packets, so it's like a
router (and may include routers), but it's running Unix (the good
ones:), so it should be the Unix admins'.

  Solutions I've seen are to have a core infrastructure group
run it.  Internet Services run DNS & web machines (not content),
time servers, mail servers, and firewalls (hosts and routers).
Working *WITH* the network people and Data Security, Internet
Services maintains control over the machines but remains
separate from these groups and from the clients groups.  SA's in
this group can certainly be available to the general SA group
(as time permits), but they have primary duty to
infrastructure/firewall.

 This reduces conflict of interest over client demands for
stupid things (can you route these UDP packets from the Internet
to the sensitive production machines?).

chuck