Link to home
Start Free TrialLog in
Avatar of sunhux

asked on

RBAC / segregation of roles when it comes to Firewall / proxy requests

I'm drafting an SOP doc & need to spell out the specific roles/duties of
Firewall admins vs IT Security (governance) :

I'm not sure if RBAC (Role Based Access Control) comes into play here
but my view is:

a) all Firewall rules requests as well as proxy requests (say to whitelist
    a URL or permit certain file types to be saved/downloaded) are to
    be reviewed & approved by the IT Security governance as well as
    requestor's managers  while Firewall admins implement them:
    is this what's generally practised?

b) reviews of Firewall logs/events are jointly done by a network admin
     or lead or manager who is not an implementer of firewall rules &
     counter-reviewed by IT Security gov : certainly we hope to automate
     this by SIEM with UEBA but Audit still requires such events/logs reviews
     to be signed off by 2 parties

c) What about firewall rules review : which parties should review them?
    Certainly not firewall admins as they're the creator of the rules so
     they'll just sign off as "No issue" : it's a conflict of interest.  We had
     run into case where a critical & sensitive Prod server was permitted
     for access to entire organization.  Tools like Tuffin only review for
     "dormant" rules but not such rules created for "testing" but forgot
     to be removed.   Any tools could help with such detection?
Avatar of sunhux


I was combing SANS & NIST publications but they did not really answer the above questions,
so any authoritative URLs/articles will be useful as well to support it
Avatar of btan

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I like to take the change control ITIL process route. When firewall admins need to make a change, credentials are granted. A config snapshot before and after will allow you to validate the changes that happened. Something like auvik can help with this as it doesn't both the login abstraction without unique passwords in all the gear, as well as configuration backup and recovery for most network gear.