Good points. My only issue with "standardization" is that I've seen managers get sloppy and use the "standard" to implement bad security. Operator/manager training on the "standards" becomes critical.
For example, because the first VPN extranet needed access to multiple mainframes the mainframes got put in a group. Subsequent VPN partners had the same services and group applied as a destination. The first "example" had become a "standard".. All mainframe users had access to all the mainframes applications even if their business only required access to one. Yuck! Going back to original requests, finding sales people or account detail to figure out who really should be allowed where for 100+ partners/customers is a pain. Adam ----- Original Message ----- From: "David Lang" <[EMAIL PROTECTED]> To: "Steve George" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, March 27, 2002 12:56 AM Subject: Re: standards > it also depends a lot on how complicated the firewalls are. > > it can be easier to manage several small/simple firewalls then one > large/complex firewall connecting the same networks (it can also be easier > to manage one firewall then several if your rules don't seperate well) > > As Steve says the key is to get the tools to do the job. > > This doesn't mean you have to buy commercial tools, spending the time to > develop your own tools that really do what you need can be just as > effective (or more effective) then buying and learning commercial tools. > > it also makes a huge difference how much your firewalls change. if you > install the firewall and don't touch it except to look at logs until you > upgrade it in a few years it's a very different story then if you have > daily requests to open/close ports through it > > I've seen places where it took one person to manage one large firewall, > and another where a team of 4 manages 40 (and in that latter case they are > looking for a 5th person and expecting to end up managing ~80 spanning the > country before they are done) > > the key to managing a large number is to standardize where you can and > automate as much as possible. Log analysis is a perfect example, it can > tie up a fill time person for an internet connected firewall if you are > willing to let it ,but if you are able to figure a way to summerize it you > can get 90%+ the same effectivness with half an hour a day to look at > things that are odd (yes you will miss some things, but do you think the > guy whose eyes are glazing over pouring through logs isn't going to miss > things as well?) > > one common thing that is forgotten is how are you going to upgrade your > boxes. if you have a lot of them you will be faced with this in a big way. > plan for it. > > also consider splitting your workload up in some way other then just by > firewall groups. have some people specialize in maintaining the underlying > boxes (hardware and software) while others specialize in the in's and > out's of the firewall software, and others automate things for the rest of > the group, cross train them, but put people where they do the most good. > dom't force everyone to be an expert at everything > > David Lang > > On 25 Mar 2002, Steve George wrote: > > > Date: 25 Mar 2002 09:45:59 +0000 > > From: Steve George <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Subject: Re: standards > > > > Hi David, > > > > I don't think there is any set practise on this point. The determining > > factors are probably how skilled your firewall people are and what size > > of organisations the firewalls are protecting. More skilled admin > > people should be able to handle more systems. The size of organisation > > will tend to indicate the complexity of the system and likelihood of > > serious attack: I bet 10 small companies is equal to one medium one for > > instance. > > > > Investment in management tools can save a lot of people time. I > > remember way back reading the logs on every firewall I had each day. > > These days I don't think anyone would do that, there are concentrators > > and alerters to handle most of that work. > > > > Cheers, > > > > Steve > > > > > > > > On Thu, 2002-03-21 at 19:21, [EMAIL PROTECTED] wrote: > > > I would like to know if there is any sort of standard or basic guideline > > > (safe practice) in regards to number of > > > firewalls per firewall admin. How many firewalls should a firewall admin be > > > expected to safely manage > > > > > > any help would be greatly appreciated > > > > > > > > > David Malow > > > ITM Global Network Security > > > > > > > > > > > > > > > > > > **************************************************************************** > > > > > > The information contained in this transmission, which may be > > > confidential and proprietary, is only for the intended recipients. > > > Unauthorized use is strictly prohibited. If you receive this > > > transmission in error, please notify me immediately by telephone > > > or electronic mail and confirm that you deleted this transmission > > > and the reply from your electronic mail system. > > > **************************************************************************** > > > > > > > > > > > > _______________________________________________ > > > Firewalls mailing list > > > [EMAIL PROTECTED] > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
