| I agree that the security folks need to own responsibility for the
| firewalls, but I also think they need to work in conjunction with the
| networking folks, since firewalls are a part of an enterprise's
| connectivity infrastructure. If the firewalls or other networking
| components are Unix based, they should also work in conjunction with
| Unix people as is appropriate.
Sounds like too many cooks to me. Then, I've never been entirely happy
with the common division of systems, networking and security groups.
In my admittedly narrow experience, those groups don't seem to work
together closely enough. If "the network is the computer", why are
the computers and networks managed by separate groups? Oh, well, mine
is not to reason why...
Furthermore, when new technologies are introduced, e.g. open systems or
Internet connectivity, the groups' learning curves are rarely in sync.
Personally, again in my narrow experience, I have yet to meet anyone in
a networking or security group that I would feel comfortable with running
my firewall, though surely there are many out there.
OTOH, this is a problem without an obvious solution. The answer will
probably depend on the type of firewall (i.e. at what networking layer
it operates), what services are provided, whether the firewall is
commercially supported or home grown, as well as on the individual
competencies and workload of the staff. For instance, a home grown
application level proxy firewall with external Unix based www and ftp
servers should probably be run by a Unix admin type. However, many
Unix SAs don't come preequiped with the proper security mindset. It's
probably a good thing to have a second set of eyes, e.g. the security
group, keeping tabs on things, too. Conversely, a packet filtering
or commercially supported firewall might be run by the networking
or security group.
The two biggest dangers are having two or more groups battling each
other and having an unsophisticated manager rolling around loose on
deck making technical decisions based on limited knowledge. Actually,
there are other big dangers, like not having management support for
your well-defined security policy (of course, you have one?) and
developing a false sense of security that results in neglect of the
rest of your security perimeter (e.g. dialup lines), security logs,
and host security. But, these aren't so much organisational in nature.