The security manager has the responsibility to maintain the security
perimeter of the corporation or enterprise. A firewall is a major
perimeter device and he should maintain both physical and logical
control over the box and the software. It should be within his preview
to delegate responsibilities to others on his behalf. For example, he
may decide that the computer room is the best physical location and
delegate responsibility for maintaining physical controls to computer
operations. This in no way exempts him from the responsibility of
auditing those controls. He may also decide that the network manager is
the most qualified person to make changes to the rule set but all
requests for changes should come to him for evaluation and approval
prior to being forwarded to the network manager for implementation.
In a previous life, the company only had two employees that had
authority to make changes to security devices. They alone had the
userid and password for the firewall and authentication servers. They
hand delivered changes to the network manager (me) and I put those
changes in while they watched. We then tested the changes to ensure our
security profile had only been altered to accommodate the new rule. A
copy of the report was attached to the change request and filed in the
security manager's office.
As an precaution against deadlocks a sealed and signed envelope with the
security server userids and passwords was kept in the company safe.
If your company is having the problem you have discribed it is likely
you do not have a company Security Policy that defines who has
responsibility for perimeter security or a procedure that governs how
changes to the security perimeter are made, tested, audited, etc. This
would be a good time to bring this to the attention of your top
management. Let them decide which one of the warring tribes gets the
responsibility and the extra burden of work!
> -----Original Message-----
> From: Young, Roger [SMTP:youngr @
> Sent: Thursday, November 20, 1997 8:37 PM
> To: Firewalls @
> Subject: Who Gets Control of the Firewall At Your Place?
> Hello there!
> I'm looking for any comments on large or small companies who have
> implemented firewalls in an intranet environment where arguments have
> broken out over who should have "physical" access and control over
> maintenance of the firewall rulebase: the server O/S administrators,
> network folks, or the business owners of data on the servers the
> firewall protects?
> (What the rule base should be is not necessarily the argument - it's
> just physical read/write access and control over the box)
> Nothing more interesting than to watch a power struggle for control
> something and to hear the arguments for that control...."I have legal
> responsibilities and can't trust your group", "it's a network device
> it's my job", "it's my data it's protecting so it's my job", "you're a
> network person and don't know the FW O/S", "our department bought the
> firewall", "let's install it and not give them the password", "our
> has 24 X 7 support capability in case something goes wrong in the
> computer room", etc.
> Any comments serious or comical are encouraged (I could use some humor
> at the end of the week). At what level in the organization should you
> taking names, kickin' derriere, and calling the "firewall control"
> shots that cuts through (the sometimes petty) issues at the department
> level? What is the best logic you have used to get all parties to
> happily agree?
> But then again maybe I'm the only one who has run into this one
> Thanks, Roger