Network Security is a subset of Information Security. The Networking team configures or pushes the rules and ensure the operational maintenance of the firewalls, such as software upgrades, RMA, etc...
The firewall rules review is done by the Infosec team but must be anticipated and documented by the Networking team because when Infosec team detects any shadowing rule or discrepancy, the Networking team should be able to explain.
Infosec team intervene in the major changes related to firewalls as their deployment or new locations or new services, but they will not intervene in daily operational tasks. I mean if there is a preexisting rule for hosts in a dedicated subnet, Infosec approval will not be needed to add a new host in the rule.
VPNs can be terminated on any system that has VPN capability. Firewall, Routers, Servers, even PCs can be used as VPN termination,
Within my organisation, we have to apply the Sarbanes Oxley Act, every 90 days (plus the CEO has stated worldwide that these controls have been applied), so every physical or virtual device has to have a Technical Specification, which includes both network, firewall base configurations as part of an overall organisation wide security policy, regardless of whether your specialism is Cloud, Networking, Security, Servers, Operating Systems, Virtual Machines, Containers or even IoT, IoMT, OT etc.
So it is a joint responsibility, between both Network and Information Security regardless. Other situations arise within Virtualisation technologies such as VMware with Edge devices, NSX or ESX gateways - all of which include Information Security aspects, in fact the device rules are the opposite expected within network devices.
It is a joint affair, and a joint responsibility of each and every individual within the organisation, to adhere to those agreed technical specifications including the Information Security, Networking, Server, Application etc teams or specialisms.
If at all possible you would have traditional InfoSec create, distribute and monitor the rulesets. While networking would ensure the actual MAC (Moves Adds Changes) as well as basic patching and physical security (moving the boxes) would be a networking set of tasks. Why? Because of the Division of Labor or DoL restrictions put in place by several frameworks. Saw Sarbox earlier but this is more born out of best and good practices for audit than anything else.
Wish you luck with the networking folks.
@BeadsWell the cost of the financial penalties are horrendous, under SOX and certainly not trivial.
"Section 906 addresses criminal penalties for certifying a misleading or fraudulent financial report. Under SOX 906, penalties can be upwards of $5 million in fines and 20 years in prison. A direct excerpt from the Sarbanes-Oxley Act of 2002 report for section 906: (a) CERTIFICATION OF PERIODIC FINANCIAL REPORTS."
Which would you prefer?
Your network security team implements the hardware and software necessary to guard your security architecture. With the proper network security in place, your system can detect emerging threats before they infiltrate your network and compromise your data.
Information security (also known as InfoSec) ensures that both physical and digital data is protected from unauthorised access, use, disclosure, disruption, modification, inspection, recording or destruction. Information security differs from cybersecurity in that InfoSec aims to keep data in any form secure,
Cybersecurity, a subset of information security, is the practice of defending your organisation’s networks, computers and data from unauthorised digital access, attack or damage by implementing various processes, technologies and practices. With the countless sophisticated threat actors targeting all types of organisations, it is critical that your IT infrastructure is secured at all times to prevent a full-scale attack on your network and risk exposing your company’ data and reputation.
A very good and direct question.
I come from a large conglomerate where there are tons of technical complexities as far as security devices are deployed, configured and controlled. I feel in the environment like i belong, firewall management should still be with networking guys (to be precise operational guys) rather than giving it to Infosec. This is because of two primary reasons that one operations guys work day in and out on such devices and they would know more technicalities and the two, is who will do governance piece then?
I strongly feel that Infosec guys should ask tough questions as a part of review and governance mechanism to network team. Few of the questions could be,
1) how firewall rules are reviewed (old rules which are not getting hits)
2) how impact analysis performed
3) how logically segments are divided(MZ, DMZ etc)
4) how is the performance of the firewall and capacity plans around it
It will be really nice to have firewall management given to Infosec in smaller organization to implement governance right from leaf level
My only point here is that we are not all under Sarbox requirements nor should we be. I get that your organization needs to be Sarbox compliant but the vast majority of my clients have not had to comply with that particular compliance. Myopic? Does every organization need to be Sarbox compliant regardless?
This is not an argument for or against one pattern or another. Security, in any form or flavor has ultimate responsibility for the audit and maintenance of the firewall. Networking is usually the folks who physically move physical appliances around, design the physical workflow and otherwise provide the first line of physical security to the physical room. Dwindling as corporate data centers have become, allows me to spend more time doing higher levels of security work, rather than physically humping routers to and fro. This has nothing to do with the overall security nor does it have anything to do with Sarbox.
Give it a rest.