Who is responsible for firewalls

mnashemnashe Posts: 133Member
A friend of mine recently started a new job. He is a network engineer. He was very surprised to learn that he is responsible for the hardware aspects of firewalls, such as deployment, configuration of interfaces but is not allowed to create any policies. All policies are created by the security team.

Is this normal?

Comments

  • NotHackingYouNotHackingYou Posts: 1,460Member ■■■■■■■■□□
    Depends on the org, usually a mix of security and network teams.
    When you go the extra mile, there's no traffic.
  • markulousmarkulous Posts: 2,389Member ■■■■■■■■□□
    Fairly normal. Usually security audits it and approves open ports, while networking manages it. But totally can depend. I've known some places security manages it 100%
  • TechGuru80TechGuru80 Posts: 1,539Member ■■■■■□□□□□
    Depends...usually the maturity of an organization is the biggest factor but it also depends how things are setup. For example there might be a network security team managing security appliances...or the network team might configure everything and security will audit and identify gaps. Usually large organizations will have functions separated out, but small companies will have people wearing multiple hats.
  • networker050184networker050184 Posts: 11,962Mod Mod
    Usually depends on the size of the org. A larger enterprise or service provider might have a whole group that works on firewalls that is separate from the routing and switching group. A smaller org is more likely to only have policy folks in security while the network guys manage all the hardware and config.
    An expert is a man who has made all the mistakes which can be made.
  • SpetsRepairSpetsRepair Cisco/Fortinet/Meraki/Comptia Posts: 210Member ■■■□□□□□□□
    Every company is different but I would question if he is actually a network engineer in this role or not some jr admin

    Anyway, speaking from experience it is good to have specific access for certain people. Worked at one company where someone made a policy configuration change in a "management" device that ended up dropping everything and causing a lot of work for actual network/security teams to get everything back up'

    Coworker pushed the wrong policy config to a group of sites and killed like 30-40 sites through this one mistake, and it was their first time applying this change which needed to be applied only at one site. anyway, after that event we started rolling the ball on getting different access for different engineers and groups in the company..
  • EANxEANx Posts: 1,077Member ■■■■■■■■□□
    Not unusual for an organization that has a more mature change management approach. Separation of duties is a best-practice in many industries, not just IT.
  • mnashemnashe Posts: 133Member
    Thx everyone. I've never worked in an environment like that, so was not sure. It makes more sense now
    Every company is different but I would question if he is actually a network engineer in this role or not some jr admin

    senior level network engineer
  • mbarrettmbarrett Posts: 397Member ■■■□□□□□□□
    I can see that - having the engineer-types rack it, configure the interfaces/vlans, etc and aligning everything with the rest of the network, and then having some admins do the day-to-day rule changes. Seems logical, I wouldn't be surprised. For some, the firewall is a box with routing capability, and for others it is a GUI interface that is used to configure firewall rules.
  • UnixGuyUnixGuy SABSA, GCFA, GPEN, CISM, RHCE, Security+, Server+, eJPT, CCNA Posts: 4,047Mod Mod
    Sounds like he is the 'platform owner' of those firewalls, while a policy team is responsible for configuration
    Goal: MBA, Jan 2021
  • beadsbeads Posts: 1,442Member ■■■■■■■■□□
    Agree with UnixGuy, here. Your friend is the platform owner, separating duties of administration from security policy is considered a "best practice" by not allowing any one person all the keys to the kingdom. Sometimes known as "who watches the watchers, who guards the guards?

    Here I write and manage policy which is signed off in CAB then implemented by my Network Engineer team.

    Lots of ways to skin that firewall.

    - b/eads
  • Nightflier101BLNightflier101BL Posts: 134Member ■■■□□□□□□□
    I'm part of a security team that is in charge of several firewalls, where I just manage the firewalls on my side of the US. I handle everything from upgrades, implementation and policy/rules, VPN, but everything goes through a strict change control board first. However, I also serve as a backup to the networking group but not the other way around.
  • chrisonechrisone CISSP, CRTP, eCPPT, LFCS, CEH, Azure Fundamentals, Retired Cisco NPs Posts: 1,884Member ■■■■■■■■□□
    beads wrote: »
    Agree with UnixGuy, here. Your friend is the platform owner, separating duties of administration from security policy is considered a "best practice" by not allowing any one person all the keys to the kingdom. Sometimes known as "who watches the watchers, who guards the guards?

    Here I write and manage policy which is signed off in CAB then implemented by my Network Engineer team.

    Lots of ways to skin that firewall.

    - b/eads

    +1 Agreed with all points given.
    2019 Goals:
    Certs: Certified Red Team Professional - Pentester Academy (passed!), Azure Fundamentals AZ-900 (passed!), Azure Security Engineer Associate AZ-500 (in-progress)
    2020 Goals:
    Certs: AZ-500, MS-500, Pentester Academy - PACES, Varonis Certified Admin (in-progress)
Sign In or Register to comment.