Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Separate firewall administrator and firewall systemadministrator

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 14 Jun 2002 19:45:13 +0200


Joe Matusiewicz wrote:


Management came up with this new proposal.  Our firewalls should now have
the operating system managed by the system administration group.  The
current firewall administrators should only handle the firewall
software.  I never heard of this before.  Is there anyone out there doing this?



I feel your pain.

Have you tried this approach?  - Explain the following:

- The majority of the "real-life" security hazards are due to 
  mishandling: bad software installs, bad passwords, bad 
  configurations, etc...

- The total function of a firewall is the sum of _everything_ on 
  the box. This includes the ruleset, but _also_ patch levels, 
  passwords, (not suddenly deciding to offload the web server by
  moving some of the scripts to the firewall box), etc..

- The firewall is there to protect against _at least_ the 
  majority of security holes. That is: holes caused by previously
  mentioned sysadmins.

..... wait half a minute for dime to drop, otherwise apply 
      clue-by-4, wash, rinse, and repeat.


Or, alternatively: if it's an option, get a firewall without a
full-blown underlying OS.  Getting one with an oddball OS that
your admins won't want to handle (but one that you can) probably 
won't be an option due to politics.

If all else fails, type up a paper stating the above logic, and
get management to sign off on your protests.  This might scare
weasel execs into hating you and giving in (not wanting to be 
the one to blame). Hard-headed execs on the other hand might just
end up hating you and go through with it anyway to spite you. [1]


Good luck
/Mikael

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com

[1] Have you ever noticed how some execs just seem to get younger
    and younger every time they get promoted? I've always hated
    the four-year-old stage myself.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: