RBAC / segregation of roles when it comes to Firewall / proxy requests

I'm drafting an SOP doc & need to spell out the specific roles/duties of
Firewall admins vs IT Security (governance) :

I'm not sure if RBAC (Role Based Access Control) comes into play here
but my view is:

a) all Firewall rules requests as well as proxy requests (say to whitelist
    a URL or permit certain file types to be saved/downloaded) are to
    be reviewed & approved by the IT Security governance as well as
    requestor's managers  while Firewall admins implement them:
    is this what's generally practised?

b) reviews of Firewall logs/events are jointly done by a network admin
     or lead or manager who is not an implementer of firewall rules &
     counter-reviewed by IT Security gov : certainly we hope to automate
     this by SIEM with UEBA but Audit still requires such events/logs reviews
     to be signed off by 2 parties

c) What about firewall rules review : which parties should review them?
    Certainly not firewall admins as they're the creator of the rules so
     they'll just sign off as "No issue" : it's a conflict of interest.  We had
     run into case where a critical & sensitive Prod server was permitted
     for access to entire organization.  Tools like Tuffin only review for
     "dormant" rules but not such rules created for "testing" but forgot
     to be removed.   Any tools could help with such detection?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
I was combing SANS & NIST publications but they did not really answer the above questions,
so any authoritative URLs/articles will be useful as well to support it
btanExec ConsultantCommented:
FW admin are operational staff part of the infrastructure team . The latter typically oversee and manage all endpoint, server, and network - that include security equipment as well like the FW, NIPS etc. The officer designated to oversee are also the security administrator

ITSec (Gov) can be operational staff part of the overall IT Gov team. The latter would have policy developer, strategy planner and importantly one team that oversee overall compliance and advisory for the organisation. They can be the compliance reviewer.

a) Operate by Infra Admin + Reviewed by ITSec + Approval by Hd Infra - this is one option. Ultimately, the approval is in the process and operationalisation which the infra authority or designated change advisory committee board (CAB) make the call but need the policy compliance checker to input. The checker does not own the system & infra can be advisor too hence more common is have a CAB. The chairperson can still be the infra authority. The checker must be savvy on the network etc otherwise, it is just doing for the sake of doing.  

b) Infra team will review the rule and surface through to the CAB for approval.  Compliance checker can be part of the CAB nad sound off any concerns still. There need to have some ticketing and workflow solution to manage such change request. You may want to check out ServiceNow (ITSM). It may have some automated process but you need to engage them on use case. For example, for incident reporting and triaging of FW alerts that can be further automated into analysis workflow and have the response party involved..

That said there are also FW log audit tool that may have workflow too such as FireMon which has a policy planner

c) Not if any other tool but FireMon Security Manager does Analyze firewall configurations to identify hidden, unused, shadowed or overly permissive rules - if rule is to state for testing, it may be higher risk as well in term of new port open and addresses granted for access. Nonetheless, I still see if test rule is more remove it will eventually into "unused" state and can still be caught. Anyway, you can enforce commentary for the rule and use it as marker to search for all "testing" rules. It is a matter of enforcing such regime to ease your review.  Also the tool know the who, what, when of every change that happens to monitored devices in real time and that may help too..

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Aaron TomoskyDirector of Solutions ConsultingCommented:
I like to take the change control ITIL process route. When firewall admins need to make a change, credentials are granted. A config snapshot before and after will allow you to validate the changes that happened. Something like auvik can help with this as it doesn't both the login abstraction without unique passwords in all the gear, as well as configuration backup and recovery for most network gear.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.