Firewall Wizards mailing list archives

Re: Firewalls and IS Network bodies

From: Andy Howard <achowar () erenj com>
Date: Fri, 12 Dec 1997 08:05:07 -0600

Mike:  following is one line of thot... assuming you mean a firewall
between a corporate network and the Internet.  Firewalls between
departments of same company could be approached differently.

It's a team effort, but the network people should do the actual
administrating... the firewall exists, in my mind, to protect the
network and the devices on it, per corporate risk assessment and
following security policy.  The security and controls people assess the
risk and determine the policy and what needs to be protected.  The
network people technically know how to implement that policy.  The
security people then look over their shoulders as a double check,
reading logs and such, checking configuration periodically.

Course, this assumes a good working relation between the two groups. 
The risk assessment and security policy planning should include network
people.  The implementation part should include security people.  It
also depends on how much each knows of the other's business.  If I had
to lean one way or the other, I would put it in the network side of the
house.  It is easy enough to follow CERT, CIAC, etc advisories, but how
to implement the fixes and such should lay with the network group.  They
have to deal with such problems routinely, whether the corporation is
connected to the Internet or not.

It also depends on how big your corporation is, and whether you have
enough people to break these things up.

Disclaimer:  I am predominantly a networking person, who also keeps
track of security issues.  Even if the security people miss something,
who do you think gets the first call when the network craters?  (-:
--------------

Mike van der Walt wrote:


I am trying to convince my management why a security environment should
retain the firewall administration.  They believe that the function
should be handed to the networking department.

What are your reasons/feelings either way?  Should I agree with them or
should I continue to fight the good fight?

Thanks,

Mike

    ---------------------------------------------------------------

                           Name: smime.p7s
         Part 1.2          Type: application/x-pkcs7-signature
                       Encoding: base64
                    Description: S/MIME Cryptographic Signature


-- 
Andy Howard
achowar () erenj com
-- the above comments are mine only--

Current thread:

Firewalls and IS Network bodies Mike van der Walt (Dec 11)
- Re: Firewalls and IS Network bodies chuck yerkes (Dec 11)
- Re: Firewalls and IS Network bodies Andy Howard (Dec 12)
- <Possible follow-ups>
- RE: Firewalls and IS Network bodies Mark Curley (Dec 11)
- RE: Firewalls and IS Network bodies Stout, William (Dec 11)
- RE: Firewalls and IS Network bodies Gary Crumrine (Dec 12)
- RE: Firewalls and IS Network bodies Biggerstaff, Craig T (Dec 12)
  - Re: Firewalls and IS Network bodies Bennett Todd (Dec 17)