Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Separate firewall administrator and firewall system administrator

From: Ron DuFresne <dufresne () winternet com>
Date: Fri, 14 Jun 2002 14:57:31 -0500 (CDT)
On Fri, 14 Jun 2002, Bill Royds wrote:



That's not a bad idea, since it follows separation of duties principles =
and allows experts to be working in their area of expertise.
 The main caveat is that there needs to be a change management procedure =
for any changes n either the firewall configuration or system =
configuration so that the both administrators are confident that there =
is no conflict that could create risk.
 Your main concern as security administrator is that changes to OS =
configuration could create a vulnerable system holding your firewall. So =
you need to be aware of  and have control of patches and all services =
running on the firewall platform. You don't want your box administrators =
putting in SNMP on the firewall, for example.
But if they administrate what you specify, you now have two sets of eyes =
looking at things, lowering the risk of misconfiguration.



I don't know, I think I disagree, soon I fear the firewall will be running
DNS, to save machines, and/or smtp, or worserer, httpd or something.

Over-seperation of IT/IS departments into little fifdoms tends to layer in
so many levels of administration and change management issues that changes
that need to be done *now* take days or weeks to impliment, and soon right
hands don't know what left thumbs are doing or responsible for.  Next
thing you know, your IT/IS department starts to look and respond as poorly
as the FBI did prior to 9/11...

Thanks,

Ron DuFresne




-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Joe Matusiewicz
Sent: Fri June 14 2002 11:58
To: firewalls () lists gnac net
Cc: firewall-wizards () nfr com
Subject: [fw-wiz] Separate firewall administrator and firewall system
administrator


Greetings,

Management came up with this new proposal.  Our firewalls should now =
have=20
the operating system managed by the system administration group.  The=20
current firewall administrators should only handle the firewall=20
software.  I never heard of this before.  Is there anyone out there =
doing this?

Please feel free to comment on this idea.


-- Joe

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

--
Firewalls mailing list - [ firewalls () isc org ]
To unsubscribe: http://www.isc.org/services/public/lists/firewalls.html



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: