[unisog] Firewall Administration

Matt McBride matt.mcbride at utah.edu
Wed Jun 8 23:34:55 GMT 2005

The University of Utah deploys Cisco FWSMs throughout the distribution layer and at the Campus NBRs. There is a total of 14 FWSMs which are managed, upgraded, controlled, and installed by the Campus Network Engineering team. The Security team at this point has no enable access on the FW modules. It is by direction of the Campus IT Security team that rules and policies are enforced. All requests to update and implement FW rules are made by the Security team to the Network Engineering team who implements the changes.
Each FWSM within the distribution layer has multiple virtual-contexts that are managed by the respective LAN manager behind each context. This enables the LAN managers responsible for departemental resources to have control over their own FW rule set. The Campus Security team and the Network Engineering team takes LAN managers through a crash-course training on the basics of FW rules and the dos-and-donts. Each virtual-context has specific configuration information that is not to be changed by any of the respective LAN managers. They are aware of these configurations and if changed, will only end up breaking themselves and the department(s) behind that context. Each LAN manager has a central TACACS+ account to provide AAA services on their virtual-context and they can only manage and see the contexts they have enable access over.
But, again, as for the FWSM as a whole, it is the Network Engineering team that manages them since they are respectively just another module in the 6500 chassis.


From: unisog-bounces at lists.sans.org on behalf of Hart, Lee Anne
Sent: Wed 6/8/2005 11:29 AM
To: mdsec-l at lists.ccbcmd.edu; unisog at sans.org; SECURITY at LISTSERV.EDUCAUSE.EDU
Subject: [unisog] Firewall Administration

If you don't mind sharing, who maintains your firewalls - hardware and operating system, not the firewall software? Currently, our IT Security team are the only people with access to our firewalls, but our networking group is asking for some rights to maintain the hardware and to be able to reboot them. I have mixed feelings about this and wanted to know how other organizations handle this. Also, what are some of the pros and cons of this?  Thanks,

Lee Anne Hart 
IT Security Analyst 
Montgomery College 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 4989 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050608/ca672097/attachment.bin

More information about the unisog mailing list