sunhux
asked on
RBAC / segregation of roles when it comes to Firewall / proxy requests
I'm drafting an SOP doc & need to spell out the specific roles/duties of
Firewall admins vs IT Security (governance) :
I'm not sure if RBAC (Role Based Access Control) comes into play here
but my view is:
a) all Firewall rules requests as well as proxy requests (say to whitelist
a URL or permit certain file types to be saved/downloaded) are to
be reviewed & approved by the IT Security governance as well as
requestor's managers while Firewall admins implement them:
is this what's generally practised?
b) reviews of Firewall logs/events are jointly done by a network admin
or lead or manager who is not an implementer of firewall rules &
counter-reviewed by IT Security gov : certainly we hope to automate
this by SIEM with UEBA but Audit still requires such events/logs reviews
to be signed off by 2 parties
c) What about firewall rules review : which parties should review them?
Certainly not firewall admins as they're the creator of the rules so
they'll just sign off as "No issue" : it's a conflict of interest. We had
run into case where a critical & sensitive Prod server was permitted
for access to entire organization. Tools like Tuffin only review for
"dormant" rules but not such rules created for "testing" but forgot
to be removed. Any tools could help with such detection?
Firewall admins vs IT Security (governance) :
I'm not sure if RBAC (Role Based Access Control) comes into play here
but my view is:
a) all Firewall rules requests as well as proxy requests (say to whitelist
a URL or permit certain file types to be saved/downloaded) are to
be reviewed & approved by the IT Security governance as well as
requestor's managers while Firewall admins implement them:
is this what's generally practised?
b) reviews of Firewall logs/events are jointly done by a network admin
or lead or manager who is not an implementer of firewall rules &
counter-reviewed by IT Security gov : certainly we hope to automate
this by SIEM with UEBA but Audit still requires such events/logs reviews
to be signed off by 2 parties
c) What about firewall rules review : which parties should review them?
Certainly not firewall admins as they're the creator of the rules so
they'll just sign off as "No issue" : it's a conflict of interest. We had
run into case where a critical & sensitive Prod server was permitted
for access to entire organization. Tools like Tuffin only review for
"dormant" rules but not such rules created for "testing" but forgot
to be removed. Any tools could help with such detection?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I like to take the change control ITIL process route. When firewall admins need to make a change, credentials are granted. A config snapshot before and after will allow you to validate the changes that happened. Something like auvik can help with this as it doesn't both the login abstraction without unique passwords in all the gear, as well as configuration backup and recovery for most network gear.
ASKER
so any authoritative URLs/articles will be useful as well to support it