"Paul D. Robertson" <[EMAIL PROTECTED]> wrote:
> On Fri, 28 May 1999, Mark Wallace wrote:
>> Wallace's first law of firewalls "The value of the firewall is not
>> in the hardware or the software, but in the genius and professionalism
>> of the firewall administrator."
>
> Wallace obviously lives in a dream world where firewall administrators
> can actually *do* something about firewalls.
There will always be a gap between what firewalls can do and what
security admins need them to do. More important are security admins'
abilities to A) evaluate new technology and B) communicate the risks to
management.
A good security admin, IMHO, must detail the risks and get those CYAs.
When users or management asks for a hole to be opened in the firewall and
isn't convinced by the technical reasons why this would be risky the CYA
is indispensable:
1) Document the technical reasons why allowing protocol X through the
firewall would be a security risk. Cite external references (URLs
and Usenet posts) where possible. Keep this section as concise
and management-oriented as possible.
2) Estimate the potential cost of business disruption should this new
risk be exploited. Ask for assistance from accounting as needed.
3) Make your recommendations based on #1 and #2 above. Put
everything down on paper (or email depending on the corporate
culture). Detail the options where alternatives are available.
4) Request that _upper_ management sign-off before making any changes.
Don't compromise your fiduciary responsibilities as a network, security
admin or consultant. If management still signs-off at least you'll know
you did the best you could.
--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
