need some input from as much specialist as possible please. who should own firewalls? InfoSec or network? if InfoSec is focused on risk, should they really be controlling traffic flow and connectivity?
Also where should site-to-site IPsec tunnels terminate? best practice states that the defacto is to terminate on firewalls but is that still true? should we treat this as a regular interface and terminate on routers?
appreciate whatever feedback you can provide.
Well, I would say it depends on the organization and how it has been structured. InfoSec _should_ have some amount of input as to the rules on the firewall, but the actual management of the device could live in either realm, as could the ultimate ownership of the device. In reality, we rarely get to function in a world of ideal situations, so I'm curious if there's more behind your question.
With regards to where should VPNs terminate, there is no right answer. I've deployed them terminating on firewalls, routers (both in front and behind firewalls), and probably a few other scenarios that escape me at the moment. It all comes down to what you are protecting, and the level of trust assigned to both sides of the VPN. It's a question of risk.
Who should own firewalls? InfoSec or network?
Along the same lines:
Much like the CISSP is a "mile wide and an inch deep", so is a security department. The bottom line is that there is a "Security" aspect to just about everything in I.T. (and business). Security is much too big a topic for one department to manage from soup to nuts. Much better is to partner with everyone and serve in an advisory role to all.
So, when it comes to policy development, I gather up the relevant framework bits, benchmarks and other needs. Then I go to the network team and collaborate on a policy that both will pass audit and is maintainable by them. When they make firewall changes, they take the request, write it up into an action plan and then discuss it with me. Once everyone is on board, they make it so. If you want, you can think of this as a "separation of duties" control, but I prefer to think of it as "two heads are better than one".
With respect to VPN termination, I feel that either choice is equally secure, so I leave the decision up to the networking team. As it turns out, their answer is "both". VPNs with a huge access-control aspect land on firewalls whereas others need fail-over capabilities better handled by a router.
Is it possible to combine this string of messages with:
Lots of good information and conversation happening in both spots.
@reraises99 I have asked for this so that information does not get lost. Would ask that you post in only one spot to avoid confusion in future.