On 25 Mar 2002, Steve George wrote: > Hi David, > > I don't think there is any set practise on this point. The determining > factors are probably how skilled your firewall people are and what size > of organisations the firewalls are protecting. More skilled admin > people should be able to handle more systems. The size of organisation > will tend to indicate the complexity of the system and likelihood of > serious attack: I bet 10 small companies is equal to one medium one for > instance.
Actually, I think that number of admins/firewall isn't ever going to be a reasonable metric. Safety is more about validation of proposed changes and ensuring that actual changes == proposed changes. Likelyhood of attack has to do more with what's in the ruleset(s) than how many people mess with it. With multiple firewalls, there still needs to be some overall coordination to ensure that no single entity is taking more risk than the collective company is willing to accept. Complexity of the system in my experience tends to have a lot more to do with how many protocols and exceptions the user base can squeeze out of the admin group, and I've always found smaller companies to have more exceptions and "because he's the boss" doors opened than large entities. I did hear of one large company that changed router access lists *lots* of times a day to accomodate exceptions, but that seemed like a potentially error prone process to me. > Investment in management tools can save a lot of people time. I > remember way back reading the logs on every firewall I had each day. > These days I don't think anyone would do that, there are concentrators > and alerters to handle most of that work. I still advocate dropping the noisest things at border routers, making firewall incidents a small set of things (as opposed to firewall tracking logs, which are going to be large and possibly only need anomoly analysis anyway.) In that case, I'd be checking the incidentish stuff in logs every day on each firewall. If everything went to one log, then it'd be with grep excluding the noise, but it'd be checked everywhere (I've seen too many failures of automatic alerters and central logging systems to want to live with the chance of failure.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
