Ho baby...you DO want to start a flame war the size of the great Chicago
fire, don't you! ;-)
The answer is easy. You hire Mitnick as your security consultant and give
him the keys to the kingdom!
A more serious answer is that most "small to medium" sized companies don't
have a true "security administrator" (just what classifies them as "medium"
sized anyway??). The common thread seems to be smaller companies just
throw in a firewall and say "wow...we're secure now!" rather than actually
defining security policies (gasp!) Education seems to be the key here.
These "small and medium sized" companies need to ACT like big companies
when it comes to the security of their IT infrastructure. They need to
make an executive level decision to appoint someone as the Security Officer
(S.O.) and ensure that he/she gets properly trained. Consultants (or the
reseller or Firewall company) typically fill the role from what I can see.
Good and bad points abound there, alone! The real problem is, as you
suggested, the 'ongoing' support and maintence of security policy. The
larger companies that I have dealt with for the MOST part seem to have
grasped this concept by now and have taken the S.O. approach which lets the
security functions rest in a single place.
So 'MY' answer is...Executives: take the bull by the horns and actually
make a command decision!
" LET THE FLAMES BEGIN!!!"
Steve Kruse PS: All youse guys flame each udder, not me!!!!!!
At 11:37 PM 11/20/97 -0500, Young, Roger wrote:
>Hello there!
>
>I'm looking for any comments on large or small companies who have
>implemented firewalls in an intranet environment where arguments have
>broken out over who should have "physical" access and control over
>maintenance of the firewall rulebase: the server O/S administrators, the
>network folks, or the business owners of data on the servers the
>firewall protects?
>
>(What the rule base should be is not necessarily the argument - it's
>just physical read/write access and control over the box)
>
>Nothing more interesting than to watch a power struggle for control over
>something and to hear the arguments for that control...."I have legal
>responsibilities and can't trust your group", "it's a network device so
>it's my job", "it's my data it's protecting so it's my job", "you're a
>network person and don't know the FW O/S", "our department bought the
>firewall", "let's install it and not give them the password", "our group
>has 24 X 7 support capability in case something goes wrong in the
>computer room", etc.
>
>Any comments serious or comical are encouraged (I could use some humor
>at the end of the week). At what level in the organization should you be
>taking names, kickin' derriere, and calling the "firewall control"
>shots that cuts through (the sometimes petty) issues at the department
>level? What is the best logic you have used to get all parties to
>happily agree?
>
>But then again maybe I'm the only one who has run into this one unlikely
>circumstance?
>
>Thanks, Roger
>
**************************************************
* Steve Kruse Milkyway Networks *
* Network Sales Support 1342 E. Vine St. #224 *
* Kissimmee, FL 34744 *
* http://www.milkyway.com skruse @
milkway .
com *
**************************************************
References:
|
|
