Firewall Wizards mailing list archives
Re: Separate firewall administrator and firewall systemadministrator
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 14 Jun 2002 19:45:13 +0200
Joe Matusiewicz wrote:
Management came up with this new proposal. Our firewalls should now have the operating system managed by the system administration group. The current firewall administrators should only handle the firewall software. I never heard of this before. Is there anyone out there doing this?
I feel your pain. Have you tried this approach? - Explain the following: - The majority of the "real-life" security hazards are due to mishandling: bad software installs, bad passwords, bad configurations, etc... - The total function of a firewall is the sum of _everything_ on the box. This includes the ruleset, but _also_ patch levels, passwords, (not suddenly deciding to offload the web server by moving some of the scripts to the firewall box), etc.. - The firewall is there to protect against _at least_ the majority of security holes. That is: holes caused by previously mentioned sysadmins. ..... wait half a minute for dime to drop, otherwise apply clue-by-4, wash, rinse, and repeat. Or, alternatively: if it's an option, get a firewall without a full-blown underlying OS. Getting one with an oddball OS that your admins won't want to handle (but one that you can) probably won't be an option due to politics. If all else fails, type up a paper stating the above logic, and get management to sign off on your protests. This might scare weasel execs into hating you and giving in (not wanting to be the one to blame). Hard-headed execs on the other hand might just end up hating you and go through with it anyway to spite you. [1] Good luck /Mikael -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com [1] Have you ever noticed how some execs just seem to get younger and younger every time they get promoted? I've always hated the four-year-old stage myself. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Separate firewall administrator and firewall system administrator Joe Matusiewicz (Jun 14)
- Re: Separate firewall administrator and firewall system administrator Adam Shostack (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Robert Sim (Jun 16)
- Re: Separate firewall administrator and firewall systemadministrator Mikael Olsson (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Bill Royds (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Ron DuFresne (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Rick Smith at Secure Computing (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Yin To Chu (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Yin To Chu (Jun 16)
- Re: Separate firewall administrator and firewall system administrator David R. Matusiak (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul Alukal (Jun 17)