Firewall Wizards mailing list archives
Re: Separate firewall administrator and firewall system administrator
From: "Paul D. Robertson" <proberts () patriot net>
Date: Fri, 14 Jun 2002 20:23:35 -0400 (EDT)
On Fri, 14 Jun 2002, David R. Matusiak wrote:
Most security people will balk at the idea of sharing a system or systems with other team members. Mostly because they imagine the Systems Administration staff to be incompetent in regards to their duties. I would argue that this is not always the case.
I think you're a little off (though for some sets of institutions, it's certainly true)- It's not incompetent in regards to their duties, it's incompetent in regards to security engineering principles- which are much more important on a firewall box than on an internal server for a large number of places (note that it's probably true that it *shouldn't* be more important.)
However, in smaller and more tightly-knit environs, the Security folks and the SysAdmins can work in perfect harmony. In these cases, there is a large amount of knowledge sharing and both parties generally wind up doing their work better. This can lead to a nice benefit in "failover protection" to lighten your pager load on weekends.*
If you're in an environment where your responsibility is the security of an organization, you need to have a fair level of platform trust- as a protection device, firewall responsibility generally goes beyond "application that people use to surf," that mindset difference is why most "normal" IT staff don't fare well working with security people. I've seen security and IT departments at a fairly large number of companies, and I can still count the number of firewalls I've seen compromised. Taking a technology that relies on blocking to work, and putting it in the hands of a group that's MBO'd by enabling is a base philosophy conflict. Splitting things between an OS group and a security group will causeissues in getting things applied, or lack of responsibility ("Not my problem" syndrome.) Generally, the first ruleset change that blocks remote administration starts the impending collapse. If not, the "OS breaks firewall, firewall breaks OS" stuff that tends to happen way too often will do it. Especially if it causes downtime and there isn't a dedicated firewall test environment. I think we've just found an example where I'd actually move to outsourced firewall management over it being done internally. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Separate firewall administrator and firewall system administrator, (continued)
- Re: Separate firewall administrator and firewall system administrator Robert Sim (Jun 16)
- Re: Separate firewall administrator and firewall systemadministrator Mikael Olsson (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Bill Royds (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Ron DuFresne (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Rick Smith at Secure Computing (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Yin To Chu (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Yin To Chu (Jun 16)
- Re: Separate firewall administrator and firewall system administrator David R. Matusiak (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul Alukal (Jun 17)