Firewall Wizards mailing list archives
Re: Separate firewall administrator and firewall system administrator
From: "Paul D. Robertson" <proberts () patriot net>
Date: Fri, 14 Jun 2002 19:56:20 -0400 (EDT)
On Fri, 14 Jun 2002, Joe Matusiewicz wrote:
Greetings, Management came up with this new proposal. Our firewalls should now have the operating system managed by the system administration group. The current firewall administrators should only handle the firewall software. I never heard of this before. Is there anyone out there doing this?
I've heard of it, and it's floated from time to time in some companies. I've never heard of it working well anywhere.
Please feel free to comment on this idea.
You've gotten some pretty good thoughts so far, but I'll add my two cents: Infrastructure needs to have limited access and careful control. Firewalls are infrastructure, making responsibility, integrity and access control into a multi-tiered thing is a bad idea overall. Of course, by design, there are tiers (OS vendor, platform vendor, software vendor...,) but adding to that mix just seems to be courting disaster. The admin group is responsible for administering systems that are accessible to users. Firewalls should be thought of more as traffic control devices than security application servers. This requires a different mindset, and if the firewall group can't apply security-specific Operating System configurations, patches or adjunct software, then someone in the admin group is going to have to learn about security issues, and take responsibility for an increased window of vulnerability when those things are appropriate. There are lots of patches that an admin group wouldn't use that might be appropriate to apply to a firewall- finding some of those might be interesting if someone were to do a more detailed "this is a bad idea..." thing. Consider also upgrading- often, specific OS patches are necessary for an upgrade to firewall software- twice as many bodies necessary onsite to do an upgrade, and if it's an apply/patch/apply/patch type of thing, there's a lot of idle time for an expesnive resource. Auditability and accountability over two groups is significantly more difficult. This can't be stressed enough in the case of security infrastructure. The other thing to think about is your access policy. What does the security policy for the organization say about who can access the firewall and how they do it? Most commercial firewalls have built-in remote management these days, but those don't allow remote access to the OS for the most part. How that plays into the standard administrative access and how much "one off" stuff the admin group would have to do may be cause for concern. Think also escallation procedures- 2am trouble calls may now mean two people showing up to deal with a situation, that's got to cost the organization quite a bit- and potentially may cause a larger window of exposure while "the right person" shows up. If the OS group suddenly needs remote access to the OS, there's a potential vector into the firewall, and let's not forget the new policy synchronization stuff, if the firewall group owns the security policy implementation, they could obviously nuke the OS group's access. Also, consider the fact that the firewall group controls border access, that is, in most organizations they are a check and balance against rogue administrators- but that assumes the administrators don't have access to the gateway itself. Adding N administrators to the number of people who can drill holes through the firewall _should_ paint a frightening picture. Sounds to me like whoever's in charge of security *really* needs more visibility and understanding. Personally, I wouldn't administer a firewall where my protection obligations relied on $OS admin. Morale and retention issues might also be worth stressing- assuming you're against the proposed change. Every security policy I've written has enumerated exactly the people who should be allowed physical and administrative access to the firewall(s) covered by that document. I've always retained ownership over that part of the policy, and have won even the "operations needs to back it up" battles over the years by ensuring that I could cover the administrative and operational issues without undo expense. There's a risk/reward analysis that I'd guess hasn't been done yet- and if someone's been passing the Quake2 time off as "OS Administration," that battle's probably about to be lost. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Separate firewall administrator and firewall system administrator Joe Matusiewicz (Jun 14)
- Re: Separate firewall administrator and firewall system administrator Adam Shostack (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Robert Sim (Jun 16)
- Re: Separate firewall administrator and firewall systemadministrator Mikael Olsson (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Bill Royds (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Ron DuFresne (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Rick Smith at Secure Computing (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Yin To Chu (Jun 16)
- RE: Separate firewall administrator and firewall system administrator Yin To Chu (Jun 16)
- Re: Separate firewall administrator and firewall system administrator David R. Matusiak (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul D. Robertson (Jun 16)
- Re: Separate firewall administrator and firewall system administrator Paul Alukal (Jun 17)