Re: Separate firewall administrator and firewall system administrator

["Paul D. Robertson" <proberts () patriot net>]

On Fri, 14 Jun 2002, Joe Matusiewicz wrote:

> Greetings,
>
> Management came up with this new proposal.  Our firewalls should now have 
> the operating system managed by the system administration group.  The 
> current firewall administrators should only handle the firewall 
> software.  I never heard of this before.  Is there anyone out there doing this?

I've heard of it, and it's floated from time to time in some companies.  
I've never heard of it working well anywhere.

> Please feel free to comment on this idea.

You've gotten some pretty good thoughts so far, but I'll add my two cents:

Infrastructure needs to have limited access and careful control.  
Firewalls are infrastructure, making responsibility, integrity and access 
control into a multi-tiered thing is a bad idea overall.  Of course, by 
design, there are tiers (OS vendor, platform vendor, software vendor...,) 
but adding to that mix just seems to be courting disaster.

The admin group is responsible for administering systems that are 
accessible to users.  Firewalls should be thought of more as traffic 
control devices than security application servers.  
This requires a different mindset, and if the firewall group can't apply 
security-specific Operating System configurations, patches or adjunct 
software, then someone in the admin group is going to have to learn about 
security issues, and take responsibility for an increased window of 
vulnerability when those things are appropriate.  There are lots of 
patches that an admin group wouldn't use that might be appropriate to 
apply to a firewall- finding some of those might be interesting if 
someone were to do a more detailed "this is a bad idea..." thing.

Consider also upgrading- often, specific OS patches are necessary for an 
upgrade to firewall software- twice as many bodies necessary onsite to do 
an upgrade, and if it's an apply/patch/apply/patch type of thing, there's 
a lot of idle time for an expesnive resource.

Auditability and accountability over two groups is significantly more 
difficult.  This can't be stressed enough in the case of security 
infrastructure.

The other thing to think about is your access policy.  What does the 
security policy for the organization say about who can access the firewall 
and how they do it?  Most commercial firewalls have built-in remote 
management these days, but those don't allow remote access to the OS for 
the most part.  How that plays into the standard administrative access and 
how much "one off" stuff the admin group would have to do may be cause for 
concern.  Think also escallation procedures- 2am trouble calls may now 
mean two people showing up to deal with a situation, that's got to cost 
the organization quite a bit- and potentially may cause a larger window 
of exposure while "the right person" shows up.  If the OS group suddenly 
needs remote access to the OS, there's a potential vector into the 
firewall, and let's not forget the new policy synchronization stuff, if 
the firewall group owns the security policy implementation, they could 
obviously nuke the OS group's access.

Also, consider the fact that the firewall group controls border access, 
that is, in most organizations they are a check and balance against rogue 
administrators- but that assumes the administrators don't have access to 
the gateway itself.  Adding N administrators to the number of people who 
can drill holes through the firewall _should_ paint a frightening picture.  
Sounds to me like whoever's in charge of security *really* needs more 
visibility and understanding.

Personally, I wouldn't administer a firewall where my protection 
obligations relied on $OS admin.  Morale and retention issues might also 
be worth stressing- assuming you're against the proposed change.

Every security policy I've written has enumerated exactly the people who 
should be allowed physical and administrative access to the firewall(s) 
covered by that document.  I've always retained ownership over that part 
of the policy, and have won even the "operations needs to back it up" 
battles over the years by ensuring that I could cover the administrative 
and operational issues without undo expense.  There's a risk/reward 
analysis that I'd guess hasn't been done yet- and if someone's been 
passing the Quake2 time off as "OS Administration," that battle's probably 
about to be lost.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards