RBAC / segregation of roles when it comes to Firewall / proxy requests

sunhux used Ask the Experts™
I'm drafting an SOP doc & need to spell out the specific roles/duties of
Firewall admins vs IT Security (governance) :

I'm not sure if RBAC (Role Based Access Control) comes into play here
but my view is:

a) all Firewall rules requests as well as proxy requests (say to whitelist
    a URL or permit certain file types to be saved/downloaded) are to
    be reviewed & approved by the IT Security governance as well as
    requestor's managers  while Firewall admins implement them:
    is this what's generally practised?

b) reviews of Firewall logs/events are jointly done by a network admin
     or lead or manager who is not an implementer of firewall rules &
     counter-reviewed by IT Security gov : certainly we hope to automate
     this by SIEM with UEBA but Audit still requires such events/logs reviews
     to be signed off by 2 parties

c) What about firewall rules review : which parties should review them?
    Certainly not firewall admins as they're the creator of the rules so
     they'll just sign off as "No issue" : it's a conflict of interest.  We had
     run into case where a critical & sensitive Prod server was permitted
     for access to entire organization.  Tools like Tuffin only review for
     "dormant" rules but not such rules created for "testing" but forgot
     to be removed.   Any tools could help with such detection?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®


I was combing SANS & NIST publications but they did not really answer the above questions,
so any authoritative URLs/articles will be useful as well to support it
Exec Consultant
Distinguished Expert 2018
FW admin are operational staff part of the infrastructure team . The latter typically oversee and manage all endpoint, server, and network - that include security equipment as well like the FW, NIPS etc. The officer designated to oversee are also the security administrator

ITSec (Gov) can be operational staff part of the overall IT Gov team. The latter would have policy developer, strategy planner and importantly one team that oversee overall compliance and advisory for the organisation. They can be the compliance reviewer.

a) Operate by Infra Admin + Reviewed by ITSec + Approval by Hd Infra - this is one option. Ultimately, the approval is in the process and operationalisation which the infra authority or designated change advisory committee board (CAB) make the call but need the policy compliance checker to input. The checker does not own the system & infra can be advisor too hence more common is have a CAB. The chairperson can still be the infra authority. The checker must be savvy on the network etc otherwise, it is just doing for the sake of doing.  

b) Infra team will review the rule and surface through to the CAB for approval.  Compliance checker can be part of the CAB nad sound off any concerns still. There need to have some ticketing and workflow solution to manage such change request. You may want to check out ServiceNow (ITSM). It may have some automated process but you need to engage them on use case. For example, for incident reporting and triaging of FW alerts that can be further automated into analysis workflow and have the response party involved..

That said there are also FW log audit tool that may have workflow too such as FireMon which has a policy planner

c) Not if any other tool but FireMon Security Manager does Analyze firewall configurations to identify hidden, unused, shadowed or overly permissive rules - if rule is to state for testing, it may be higher risk as well in term of new port open and addresses granted for access. Nonetheless, I still see if test rule is more remove it will eventually into "unused" state and can still be caught. Anyway, you can enforce commentary for the rule and use it as marker to search for all "testing" rules. It is a matter of enforcing such regime to ease your review.  Also the tool know the who, what, when of every change that happens to monitored devices in real time and that may help too..
Aaron TomoskyDirector of Solutions Consulting

I like to take the change control ITIL process route. When firewall admins need to make a change, credentials are granted. A config snapshot before and after will allow you to validate the changes that happened. Something like auvik can help with this as it doesn't both the login abstraction without unique passwords in all the gear, as well as configuration backup and recovery for most network gear.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial