Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Separate firewall administrator and firewall system administrator

From: Adam Shostack <adam () homeport org>
Date: Fri, 14 Jun 2002 12:42:50 -0400
On Fri, Jun 14, 2002 at 11:57:43AM -0400, Joe Matusiewicz wrote:
| Greetings,
| 
| Management came up with this new proposal.  Our firewalls should now have 
| the operating system managed by the system administration group.  The 
| current firewall administrators should only handle the firewall 
| software.  I never heard of this before.  Is there anyone out there
| doing this? 

Yeah, I know a place that does (did) that about 5 years ago. The
politics and mechanisms were hell.

Some examples:
Getting patches applied rapidly was very hard, because there was a
process of testing and approving patches for production that took too
long for a firewall.

There were differences in skill and approach between the groups which
lead to a great deal of distrust.

The OS group had standard installs, which were not hardened the way
the firewall group hardened things.  They wanted to bring their
standard installs for the firewall machines, including NFS, x, and
other things.

On the bright side, I made a lot of good friends in going through all
those fights.  But they weren't good for the company. We were often
more focused on fighting each other than the competition.  The reasons
we had seemed perfectly good at the time.


Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: