There should be a design group and an implementation/support
group. design people should probably do stints in the
implementation/support group to make sure that they stay grounded.
They should probably be part of the security organization,
with well defined boundary testing (if the network group can't ping
all interfaces of the router, its considered to be a firewall group
problem.) The network group gets to put in probes and watch the
traffic, but can only run serial lines to the probes. etc.
Strong boundaries for who is responsible for what is
important, as is an understanding of who the management chain is, and
whose head is on the line for what. Keep the management chain small.
Since firewalls are sexy, a lot of people will want to stir the pot.
Fight back against this.
There is a much greater need for written policies in a large
organization than in a small one. (Policies are essential for a small
company's security, and essential for a large company's security and
the sanity of its employees.)
Who hasn't been consulting to a large company for a while. (Hi Joe,
Judy Altrudo wrote:
| Your views on who in an organisation should be responsible for managing
| firewalls would be appreciated.
| I raise this topic as in large organisation where there is dedicated security
| team who are responsible for testing security products, installing and
| providing a daya to day security might be considered the best area for
| the above.
| On the otherhand, the network people (those responsible for installing
| and configuring routers etc) might also be considered to be the most
| appropriate area.
| Because firewalls involve both security and network, it isn't obvious to
| me where the responsibility should lie.
| Any views ?
| Thanks, JA
"It is seldom that liberty of any kind is lost all at once."