> I'm looking for any comments on large or small companies who have
> implemented firewalls in an intranet environment where arguments have
> broken out over who should have "physical" access and control over
> maintenance of the firewall rulebase: the server O/S administrators, the
> network folks, or the business owners of data on the servers the
> firewall protects?
> (What the rule base should be is not necessarily the argument - it's
> just physical read/write access and control over the box)
The firewall is the one of the means of implementing the security policy,
so the responsibility for its maintenance should be on the implementors
of that policy. It is the task of the management to delegate that
responsibility to the group most able to implement it, be that systems
admins or network admins. I would tend to keep the data owners out of
the firewall administration only to the degree that they could request
changes to the policy, but would not be responsible for implementing
it. Unless the data owners control the security policy, it leads to
a conflict of interest.
Sigh, like a lot of firewall issues, this one appears to be more a
management problem than a technical one.
Thankfully, since I wear most of the hats, I don't experience those
sorts of conflicts. One of the advantages of a small company, I suppose.
Les Gondor, Gandalf Graphics. les @
[Considering the Internet] as a shaky structure built on layers of shaky
foundations: It works for Venice. I hear Venice is beautiful. (Marcus Ranum)