who should manage Firewalls? InfoSec or Networking?
where should IPsec site-to-site tunnel terminate? firewalls or routers?
This is a good question. I work for a mid-tier defense contractor, and for us firewalls fall solidly into the Network Engineering category. InfoSec tends to be more devoted to policy and procedure, whereas actual firewall administration is more technical and requires engineering skills. We use a matrix structure, though, so it might be different if you're not using that model. I'm interested to see what other responses are.
I responded to your other thread, but I'll paste here as I suspect the other will be deleted for being off-topic.
Well, I would say it depends on the organization and how it has been structured. InfoSec _should_ have some amount of input as to the rules on the firewall, but the actual management of the device could live in either realm, as could the ultimate ownership of the device. In reality, we rarely get to function in a world of ideal situations, so I'm curious if there's more behind your question.
With regards to where should VPNs terminate, there is no right answer. I've deployed them terminating on firewalls, routers (both in front and behind firewalls), and probably a few other scenarios that escape me at the moment. It all comes down to what you are protecting, and the level of trust assigned to both sides of the VPN. It's a question of risk.
I work in local Government and it is a Security and Networks Team - we control all the firewalling and have oversight of the networking (direct support contracted out). We aren't InfoSec really as that function falls under a separate section (policies etc.). So the security piece for us is around defense in depth and least privilege rather than data privacy specifically.
If you take a large step backwards there are a few things to breakdown:
- the size of the department/entity (if you have one person, then choices are stark!)
- the skill-sets needed (firewalls collapse networking, security, monitoring, etc.)
- the separation of duties and access control (who can view, who can change, etc.)
- the complimentary elements around the firewall (e.g. the central logging, SIEM tool, etc.) which might mean infosec people can view logs/alerts and network folks can configure rules/routing.
The department, job titles, organisation silos, should come after all this and help support it. Most times to ensure nobody is demotivated, jobs, roles, responsibilities are blurred.
I have been at work places big and small. In some places they had dedicated network teams in other places they did not. I have had to work on firewalls as well as just make policy for them. In the policy place, I approved all firewall changes as a part of my daily duties. So it really varies depending on the needs of the organization.
Preferably, the InfoSec people would not be maintaining (i.e actively working on them) them, but advising or approving changes. But perhaps in your organization your InfoSec team is large, then they might be the ones to do it. In either case you should have some insight in to the process or have the audit capability. In some places I was granted read-only access or I was able to pull reports, etc. InfoSec needs visibility into firewalls, but preferably is not the one making changes, however; if they are making changes there should be an audit trail or other notification process so that you do not have a fox watching the hen house scenario.