1999-01-13-07:03:24 Arik Sudman:
> With regard to this question, I would like to have comments on the issue
> of the skills needed for your organization's firewall manager. The role
> includes mainly getting requirements from users, helpdesk and management -
> and build and implement an internet security policy within the product.
A "firewall manager" either _is_ the security administrator, or else performs
an important part of the job associated with security admin.
The heart of this job is to involve the users in security. A good security
admin will know enough of the broad field of computer security as well as the
nature of the local organization to be able to intelligently discuss risk
exposures and protection costs with users, to cast the issues of security into
the terms important to them, to engage them in the process of deciding what
the security policy should be.
To be a great security admin, you should be familiar enough with available
tools and building blocks so that you can quickly implement anything that's
needed; combine that with the ability to clearly and simply describe what's
impossible or prohibitively expensive and _why_, and you've got the material
to keep your users happy.
One of my greatest moments came when a policy I'd proposed --- absolutely,
positively no applets through the firewall --- was challenged; a group of
developers claimed that they needed to be able to look at how other businesses
were using applets to judge how we should use them. I scheduled a meeting and
had all the interested developers attend. I opened the meeting explaining why
I'd set the policy as I had, with references to security problems with java
and javascript. Then I further explained that as long as we could meet the
firm's needs with the existing policy, it would be safer than a more lenient
one, so could we try to find another way to meet their needs without tearing
an applet-sized hole through our firewall. When I proposed a box on the DMZ
which could run an applet-enabled browser, and a tunnel so they could remote
display the vulnerable browsers back to their desktops, they agreed to give
that a try, once they understood the issues; and I was able to produce that
solution in full working condition in a few hours. So everybody went away
happy.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
