Manage Learn to apply best practices and optimize your operations.

Who should manage the firewall?

Maintaining a firewall is not an easy task, especially when business rules narrowly define which tasks should be performed by network administrators and which should be handled by information security practitioners. To make life easier, some organizations have decided to share firewall responsibilities, while others have determined that separating duties is more efficient. In this tip, your peers and colleagues share their advice and experiences on which approaches are best for maintaining the corporate firewall.

ITKE member muneanya posed this question: Our information security department is different from the network department....

The network department handles the installation, upgrade, routing and IP address specifications on the firewalls, while our information security department writes the rules. The problem is this -- almost all troubleshooting involves the two groups. For example, in a session that involves VPN tunnels, the information security group can not perform a simple but pertinent task like deleting and reestablishing a specific VPN tunnel, since they would not have the right to do so. What have you seen in the industry? Should the firewall responsibility be split between the two groups? If not, which should be responsible for the firewalls – the information security team or the networking department?

More on firewalls

Learn how to design, implement, and maintain an enterprise firewall in this Firewall Architecture Guide.

ITKE member petroleumman advised:
Welcome to the world of corporate politics! You're not alone on this. Many large corporations with compartmentalized IT groups wrestle with this same dilemma, as tasks are delegated with the idea of maintaining a system of checks and balances. Corporate leaders do not want to give too much power to any one department. Unfortunately, in the IT "real world," many routine tasks will overlap among the various groups, causing a bottleneck to getting things done. It's like the machine shop where the operator has to call the electrician because the machine came unplugged, and plugging it back in falls outside the operator's job description. Talk about waste in a world where companies are trying to go lean.

I would have the network department take responsibility for installing the firewall and maintaining connectivity, and have the information security team handle all administrative tasks, since they're ultimately responsible for writing rules, enforcing policy and serving user requests.

ITKE member kbrugnani advised:
It seems like there are too many cooks in the kitchen. However, in my opinion, the LAN/WAN group should be responsible for the firewall, routers and switches, while the security team -- the ones who write the rules -- should serve as the informant, analyzer and written rule tester.

ITKE member sonyfreek advised:
The Department of Defense requires and ISC2 recommends sharing firewall management; separating the functions to maintain a system of checks and balances. Otherwise, it's like having the chicken guarding the hen house. I think that you could reasonably discuss having the information security folks make the rules, but providing them to the networking team, which would perform the configuration and maintenance. Also, the [information security team] should have full audit capabilities to ensure that the rules are in fact, being set and enforced.

ITKE member kzander advised:
In my opinion, firewall security responsibilities should not be split -- we tried it and found doing so made establishing access rights and setups took longer than it should. So, we decided to allocate a specific team that was cross–educated, so there was more than one person who could configure, install and setup the proper firewall securities and accesses.

ITKE member Dollface advised:
Considering you are all on the same team, I don't see the sense in locking one group out. It just creates an environment of inefficiency, and ultimately mistakes will be made.

ITKE member larrythethird advised:
We split it and doing so causes grief because the two teams since don't always work the same hours; the network group covers business hours but the security group basically works after hours. Trying to get a change enabled for a new business process without prior knowledge can be challenging.

ITKE member mortree advised:
Splits are typically designed to produce EXACTLY the effect you've encountered. It is known as security by inefficiency.

This way of thinking is usually imposed by managers who have a secret agenda of trying to keep up with changes without visibly seeming to struggle or ask "stupid" questions.

If you want security and efficiency without sparing the egos of managers, implementation and troubleshooting firewall responsibilities should fall to the networking group, and the information security groups should write the policies, model general access rules and audit the work completed by the network group.

Also, to achieve more control (and to prevent errors), all changes should go through a joint change control group, but granting the information security group veto power. Additionally, emergency troubleshooting should be monitored by at least one information security group member and have any implemented results immediately reviewed by a mini-change control group for temporary (24-48-72 hour) approval. This way, change control occurs and serious consideration will be given to security effects from several viewpoints.

ITKE member Celtic advised:
Speaking as an information security expert, I've seen 100% of the responsibility of a certain firewall given to a single person/group. In my opinion, this responsibility should not be split between two groups, for doing so causes those "diagnostics bottlenecks" you've mentioned. And a rule of thumb, there should always be a "troubleshooting guy/group" (preferably from the information security department) who can access all the equipment and help solve problems as fast as possible.

ITKE member AlchemistTheGREAT advised:
The split you mention is common practice in most large organizations (banks, multinational companies, etc.) and it actually makes sense. It's the information security group's job to be skeptical and check if anything causes a security breach/vulnerability. Networkers, on the other hand, always try to keep the connectivity up. Seems inefficient, and it will be inefficient unless complemented by another component.

What these organizations need are automated monitoring/management solutions that pinpoint the root cause of the issue and notify the related group. If you choose an integrated solution (not a cheap point solution), you may even link the infrastructure components to business processes and be notified of what's being impacted.

Therefore, the split is normal (for a large enterprise) and it should be there to distribute the risk (not too much authority in one hand), but the people problem (blame storming and finger pointing at worst, lack of coordination and wasted time in diagnosis at best) must be addressed by an automation suite.

ITKE member NetTech21 advised:
I have been exposed to both schools of thought and have seen both approaches achieve surprisingly excellent results.

Once you get past the multiple group theory and buckle down to ensure that the firewall functions in a manner that business leaders are comfortable with and maintains a high level of security to ensure longevity, both groups will enjoy the interaction.

After being exposed to this type of environment, I found it difficult, yet not impossible, to return to a shop that is single-grouped and handles all of the IT duties. I do however miss the ability to propose and have scrutinized ideas that from my mindset were good, yet proven to fall short as others questioned all aspects of my proposal.

Keep working at it. It may surprise you what you get from the experience.

Editor's note: This question and answer thread was excerpted from ITKnowledge Exchange. Click here to read the entire thread or start a new one. 

This was last published in December 2006

Dig Deeper on Network device security: Appliances, firewalls and switches