Home page logo

basics logo Security Basics mailing list archives

RE: firewall change request
From: Dan Lynch <DLynch () placer ca gov>
Date: Fri, 17 Feb 2012 08:49:30 -0800

There have been a couple really good, detailed answers to this issue. Do others on the list have no change controls to 
speak of? And if you do, what changes are people allowed to make without a requiring a formal process of review, 
approval and documentation? For those with clear policy guidance, would you be willing to share the details?

For me, our policy says that the change request process is required for "any change that has a reasonable expectation 
of impacting customer service availability". In reality though, we go through the full process for any and all firewall 
rule changes, regardless the expected impact on service availability, like adding a host object to a group, then 
installing policy. 

We use a browser-based form in which we specify the changes to be made and their impact. This must receive the prior 
approval of at least one of seven IT supervisors, and at least one higher level IT manager. One of these supervises the 
firewall team, the other has authority over IT for a business unit that might be affected. Neither has more than 
rudimentary experience in or knowledge of firewalls or networking. The other five can sign off the change after the 

(In reality, we first request permission to submit the request, from these same supervisors. The form doesn't get 
filled out until we've received their permission do it. We request permission to request permission to perform a 
change. The entire process can take up to a week.)

They then specify when the change can be made. Some changes are made the same day during business hours, others wait 
until an after hours window opens, usually simply after 5:30 pm. In the case of one critical firewall cluster, there is 
only one window per month, a Tuesday between 4:00 am and 6:00 am. 

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]