cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Viewer II

Firewall function belongs to InfoSec or Networking?

who should manage Firewalls? InfoSec or Networking?

where should IPsec site-to-site tunnel terminate? firewalls or routers?

16 Replies
Highlighted
Viewer III

Re: Firewall function belongs to InfoSec or Networking?

This is a good question. I work for a mid-tier defense contractor, and for us firewalls fall solidly into the Network Engineering category.  InfoSec tends to be more devoted to policy and procedure, whereas actual firewall administration is more technical and requires engineering skills.  We use a matrix structure, though, so it might be different if you're not using that model.  I'm interested to see what other responses are.

Highlighted
Newcomer II

Re: Firewall function belongs to InfoSec or Networking?

I responded to your other thread, but I'll paste here as I suspect the other will be deleted for being off-topic.

 

Well, I would say it depends on the organization and how it has been structured.  InfoSec _should_ have some amount of input as to the rules on the firewall, but the actual management of the device could live in either realm, as could the ultimate ownership of the device.  In reality, we rarely get to function in a world of ideal situations, so I'm curious if there's more behind your question.

 

With regards to where should VPNs terminate, there is no right answer.  I've deployed them terminating on firewalls, routers (both in front and behind firewalls), and probably a few other scenarios that escape me at the moment.  It all comes down to what you are protecting, and the level of trust assigned to both sides of the VPN.  It's a question of risk.

Highlighted
Newcomer II

Re: Firewall function belongs to InfoSec or Networking?

I work in local Government and it is a Security and Networks Team - we control all the firewalling and have oversight of the networking (direct support contracted out). We aren't InfoSec really as that function falls under a separate section (policies etc.). So the security piece for us is around defense in depth and least privilege rather than data privacy specifically.

Highlighted
Newcomer II

Re: Firewall function belongs to InfoSec or Networking?

And we terminate VPNs on our own kit rather than the routers which are under external contract, keeps a better level of control theoretically.
Highlighted
Community Champion

Re: Firewall function belongs to InfoSec or Networking?

Firewalls are exclusively in the domain of INFOSEC. I cannot foresee if
security is being done correctly, that separation of duties wouldn't apply
here.
Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
Highlighted
Viewer II

Re: Firewall function belongs to InfoSec or Networking?

Management of firewall is technical work. But defining policy, continuous monitoring via logging and ensure compliance implemented properly is Security teams responsibility.
Highlighted
Newcomer III

Re: Firewall function belongs to InfoSec or Networking?

Some thoughts.

 

If you take a large step backwards there are a few things to breakdown:

 

- the size of the department/entity (if you have one person, then choices are stark!)

- the skill-sets needed (firewalls collapse networking, security, monitoring, etc.)

- the separation of duties and access control (who can view, who can change, etc.)

- the complimentary elements around the firewall (e.g. the central logging, SIEM tool, etc.) which might mean infosec people can view logs/alerts and network folks can configure rules/routing.

 

The department, job titles, organisation silos, should come after all this and help support it. Most times to ensure nobody is demotivated, jobs, roles, responsibilities are blurred.

 

Adam

Highlighted
Community Champion

Re: Firewall function belongs to InfoSec or Networking?

I have been at work places big and small. In some places they had dedicated network teams in other places they did not. I have had to work on firewalls as well as just make policy for them. In the policy place, I approved all firewall changes as a part of my daily duties. So it really varies depending on the needs of the organization.

Preferably, the InfoSec people would not be maintaining (i.e actively working on them) them, but advising or approving changes. But perhaps in your organization your InfoSec team is large, then they might be the ones to do it. In either case you should have some insight in to the process or have the audit capability. In some places I was granted read-only access or I was able to pull reports, etc. InfoSec needs visibility into firewalls, but preferably is not the one making changes, however; if they are making changes there should be an audit trail or other notification process so that you do not have a fox watching the hen house scenario.

 

Highlighted
Viewer II

Re: Firewall function belongs to InfoSec or Networking?

Firewall rule changes, firstly, it will be reviewed by information security team and approved by them. After approval from information security department, the same Firewall rules will be sent to network Dept to make changes accordingly. However, it is the responsibility of individual Appllication owners to review their firewall rules monthly or quarterly based on criticality of application. The same rule review may be audited by auditors for compliance as per ISD approvals.