Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Viewer II

Firewall = InfoSec or Networking


         need some input from as much specialist as possible please. who should own firewalls? InfoSec or network? if InfoSec is focused on risk, should they really be controlling traffic flow and connectivity?
         Also where should site-to-site IPsec tunnels terminate? best practice states that the defacto is to terminate on firewalls but is that still true? should we treat this as a regular interface and terminate on routers?



appreciate whatever feedback you can provide.

3 Replies
Newcomer II

Well, I would say it depends on the organization and how it has been structured.  InfoSec _should_ have some amount of input as to the rules on the firewall, but the actual management of the device could live in either realm, as could the ultimate ownership of the device.  In reality, we rarely get to function in a world of ideal situations, so I'm curious if there's more behind your question.


With regards to where should VPNs terminate, there is no right answer.  I've deployed them terminating on firewalls, routers (both in front and behind firewalls), and probably a few other scenarios that escape me at the moment.  It all comes down to what you are protecting, and the level of trust assigned to both sides of the VPN.  It's a question of risk.

Community Champion

@reraises99 wrote:

Who should own firewalls? InfoSec or network?

Along the same lines:

  • Who should own patching?
  • Who should own employee on/off boarding?
  • Who should own risk management?
  • Who should own business recovery?
  • Who should own backup/restore?
  • Who should own malware defense?
  • Who should own Active Directory?
  • Who should own policy development?

Much like the CISSP is a "mile wide and an inch deep", so is a security department.  The bottom line is that there is a "Security" aspect to just about everything in I.T. (and business).  Security is much too big a topic for one department to manage from soup to nuts. Much better is to partner with everyone and serve in an advisory role to all.  


So, when it comes to policy development, I gather up the relevant framework bits, benchmarks and other needs.  Then I go to the network team and collaborate on a policy that both will pass audit and is maintainable by them.  When they make firewall changes, they take the request, write it up into an action plan and then discuss it with me.  Once everyone is on board, they make it so.  If you want, you can think of this as a "separation of duties" control, but I prefer to think of it as "two heads are better than one".  


With respect to VPN termination, I feel that either choice is equally secure, so I leave the decision up to the networking team.  As it turns out, their answer is "both".  VPNs with a huge access-control aspect land on firewalls whereas others need fail-over capabilities better handled by a router.  



Community Champion



Is it possible to combine this string of messages with:


Lots of good information and conversation happening in both spots.


@reraises99 I have asked for this so that information does not get lost.  Would ask that you post in only one spot to avoid confusion in future.