I'm drafting an SOP doc & need to spell out the specific roles/duties of
Firewall admins vs IT Security (governance) :
I'm not sure if RBAC (Role Based Access Control) comes into play here
but my view is:
a) all Firewall rules requests as well as proxy requests (say to whitelist
a URL or permit certain file types to be saved/downloaded) are to
be reviewed & approved by the IT Security governance as well as
requestor's managers while Firewall admins implement them:
is this what's generally practised?
b) reviews of Firewall logs/events are jointly done by a network admin
or lead or manager who is not an implementer of firewall rules &
counter-reviewed by IT Security gov : certainly we hope to automate
this by SIEM with UEBA but Audit still requires such events/logs reviews
to be signed off by 2 parties
c) What about firewall rules review : which parties should review them?
Certainly not firewall admins as they're the creator of the rules so
they'll just sign off as "No issue" : it's a conflict of interest. We had
run into case where a critical & sensitive Prod server was permitted
for access to entire organization. Tools like Tuffin only review for
"dormant" rules but not such rules created for "testing" but forgot
to be removed. Any tools could help with such detection?