Who is responsible for firewalls

A friend of mine recently started a new job. He is a network engineer. He was very surprised to learn that he is responsible for the hardware aspects of firewalls, such as deployment, configuration of interfaces but is not allowed to create any policies. All policies are created by the security team.

Is this normal?

Find more posts tagged with

Comments

NotHackingYou

Depends on the org, usually a mix of security and network teams.

markulous

Fairly normal. Usually security audits it and approves open ports, while networking manages it. But totally can depend. I've known some places security manages it 100%

TechGuru80

Depends...usually the maturity of an organization is the biggest factor but it also depends how things are setup. For example there might be a network security team managing security appliances...or the network team might configure everything and security will audit and identify gaps. Usually large organizations will have functions separated out, but small companies will have people wearing multiple hats.

networker050184

Usually depends on the size of the org. A larger enterprise or service provider might have a whole group that works on firewalls that is separate from the routing and switching group. A smaller org is more likely to only have policy folks in security while the network guys manage all the hardware and config.

SpetsRepair

Every company is different but I would question if he is actually a network engineer in this role or not some jr admin

Anyway, speaking from experience it is good to have specific access for certain people. Worked at one company where someone made a policy configuration change in a "management" device that ended up dropping everything and causing a lot of work for actual network/security teams to get everything back up'

Coworker pushed the wrong policy config to a group of sites and killed like 30-40 sites through this one mistake, and it was their first time applying this change which needed to be applied only at one site. anyway, after that event we started rolling the ball on getting different access for different engineers and groups in the company..

EANx

Not unusual for an organization that has a more mature change management approach. Separation of duties is a best-practice in many industries, not just IT.

mnashe

Thx everyone. I've never worked in an environment like that, so was not sure. It makes more sense now

SpetsRepair wrote: »

Every company is different but I would question if he is actually a network engineer in this role or not some jr admin

senior level network engineer

mbarrett

I can see that - having the engineer-types rack it, configure the interfaces/vlans, etc and aligning everything with the rest of the network, and then having some admins do the day-to-day rule changes. Seems logical, I wouldn't be surprised. For some, the firewall is a box with routing capability, and for others it is a GUI interface that is used to configure firewall rules.

UnixGuy

Sounds like he is the 'platform owner' of those firewalls, while a policy team is responsible for configuration

beads

Agree with UnixGuy, here. Your friend is the platform owner, separating duties of administration from security policy is considered a "best practice" by not allowing any one person all the keys to the kingdom. Sometimes known as "who watches the watchers, who guards the guards?

Here I write and manage policy which is signed off in CAB then implemented by my Network Engineer team.

Lots of ways to skin that firewall.

- b/eads

Nightflier101BL

I'm part of a security team that is in charge of several firewalls, where I just manage the firewalls on my side of the US. I handle everything from upgrades, implementation and policy/rules, VPN, but everything goes through a strict change control board first. However, I also serve as a backup to the networking group but not the other way around.

chrisone

beads wrote: »

Agree with UnixGuy, here. Your friend is the platform owner, separating duties of administration from security policy is considered a "best practice" by not allowing any one person all the keys to the kingdom. Sometimes known as "who watches the watchers, who guards the guards?

Here I write and manage policy which is signed off in CAB then implemented by my Network Engineer team.

Lots of ways to skin that firewall.

- b/eads

+1 Agreed with all points given.