Re: Separate firewall administrator and firewall system administrator

["Paul D. Robertson" <proberts () patriot net>]

On Fri, 14 Jun 2002, David R. Matusiak wrote:

> Most security people will balk at the idea of sharing a system or systems
> with other team members. Mostly because they imagine the Systems
> Administration staff to be incompetent in regards to their duties. I would
> argue that this is not always the case.

I think you're a little off (though for some sets of institutions, it's 
certainly true)-

It's not incompetent in regards to their duties, it's incompetent in 
regards to security engineering principles- which are much more important 
on a firewall box than on an internal server for a large number of places 
(note that it's probably true that it *shouldn't* be more important.)

> However, in smaller and more tightly-knit environs, the Security folks and
> the SysAdmins can work in perfect harmony. In these cases, there is a
> large amount of knowledge sharing and both parties generally wind up doing
> their work better. This can lead to a nice benefit in "failover
> protection" to lighten your pager load on weekends.*

If you're in an environment where your responsibility is the security of 
an organization, you need to have a fair level of platform trust- as a 
protection device, firewall responsibility generally goes beyond 
"application that people use to surf," that mindset difference is why most 
"normal" IT staff don't fare well working with security people.

I've seen security and IT departments at a fairly large number of 
companies, and I can still count the number of firewalls I've seen 
compromised.  Taking a technology that relies on blocking to work, and 
putting it in the hands of a group that's MBO'd by enabling is a base 
philosophy conflict.

Splitting things between an OS group and a security group will causeissues 
in getting things applied, or lack of responsibility ("Not my problem" 
syndrome.)  

Generally, the first ruleset change that blocks remote administration 
starts the impending collapse.  If not, the "OS breaks firewall, firewall 
breaks OS" stuff that tends to happen way too often will do it.  
Especially if it causes downtime and there isn't a dedicated firewall test 
environment.

I think we've just found an example where I'd actually move to outsourced 
firewall management over it being done internally.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards