>One of the divisions of the company I work for has a permanent connection
to the
>Internet secured by a Tis Toolkit and a Livingston router doing packet
>filtering. Since the connection at this division is of limited bandwidth (56k
>at present), over the past year or so some 40 to 50 individuals around the
>company (nationwide, but primarily at our central location) have obtained
>individual accounts with local ISPs in order to get access. These users are
>primarily using Spry's Internet in a Box, but there are also some NT users,
OS/2
>users, and a couple of Unix machines as well. Since this growth has not been
>managed centrally, and we have (also in the last year or so) finished
building a
>private internet connecting most of our domestic sites, we are concerned about
>the risks that these unsecured dial-up connections pose.
>
>Within the month, the division with the permanent connection will be upgrading
>to a T1 which we feel is adequate to meet the needs of the corporation for
>Internet access. We plan to move the serial users to connecting via their lan
>connections using the bandwidth and the firewall at the division with the
>permanent connection.
>
>My boss (actually my bosses bosses boss, but who's counting) has asked me to
>determine the staffing requirements for maintaining and monitoring the
firewall.
>Our tendency has been to add function without adding headcount; the techs that
>are involved in this project feel that this is not an occasion where that is
>practical due to the amount of time and effort involved in monitoring logs,
etc.
>What is the general consensus on the amount of time and effort involved in
these
>tasks?
>
>David Nichols -- on my own dime!
>
>����
>����
>
David,
It depends on the size of your organization, how you implement the firewall,
the kind of security level you want, etc. Not knowing any of these things,
I would recommend at least two people for this task. One person has the
job as a primary function to monitor the firewall & the other is a backup
person. Whether both persons work full-time or part-time or has another
primary function depends on your environment. Ideally, the firewall doesn't
require much maintenance. As always, your mileage may vary (depending
on your company's individual requirements).
Also:
It is imperative that both perons fully understand what can & can't be
done.
It is best to decide how to handle emergencies in advance.
The specific duties & responsibilities should be a formal part of someone's
job description.
And now for the most important part. Have someone take on the responsibilites
of managing the firewall on a full-time basis for a couple of months to see
how much of a workload is involved - BEFORE thinking about hiring someone.
Four benefits to this:
- you can more accurately assess the amount of resources needed
- hands-on training for the backup person
- decide in advance if there is enough work to keep the person busy
- the "do unto others" principle (see next paragraph)
IMO, it is wasteful to bring someone on board & then let them go because
there is not enough work for them. It is not good for the company, and
will put a very large crimp in the employee's life. Even moreso if they
have a wife & kids, were hired away from a good job, or had to move to
take the position (or any combination thereof).
The above wasn't meant to be critical or yours or any organization (and
I hope it wasn't received that way). I think you asked a very important
question which is often overlooked when putting in a firewall.
Best Regards,
Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800 - http://www.fortified.com/fortified
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
|
|
