Just my 2 cents (which are probably worth less now from an US currency standpoint) if you are making a change to a CI, especially if it's in production, I would personally want that to go through Change Mgt no matter how small the change is if for nothing more than to ensure that it is an approved change.
firewall rules have the potential to bring down a lot of IT systems if they are implemented wrong - doe sit happen - yes and more often that is should.
I would insist that all firewal rules go through change management. The level at which they go through CM is for you to decide based on possible impact.
I understand the firewall team wanting to take these changes out of change control but the decision shoul dnot be theirs to take as the impact of things going wrong with firewall rules can be hugh in both disruption and possible financial effects. _________________ Mark O'Loughlin
ITSM / ITIL Consultant
Joined: Jan 03, 2007 Posts: 189 Location: Redmond, WA
Posted: Fri Apr 18, 2008 5:50 am Post subject:
Are the firewall rules documented somewhere? If so, I would consider that document of critical importance since it would be key to rebuilding your firewall if you had to build it from scratch. As a critical document supporting your infrastructure, it should be considered a CI.
Any document in the CMDB should be under strict version control. The change of a version of a CI would be an attribute I would want to be under Change Management. So yes, even though the change to the firewall rules might not be an attribute you track as part of the firewall's CI, the change to your documentation would need to be under Change Management.
Joined: Feb 28, 2006 Posts: 411 Location: Coventry, England
Posted: Fri Apr 18, 2008 4:34 pm Post subject:
It would seem that everyone is in agreement
My advice would be - keep the Change covered by Change Management! The possiblility exists to cover this via a Standard Change, thereby giving your Network team what they want - less 'interference' in what they do and when they do it, and giving you what you want visibility, accountability, and control.
The questions to ask here are
How robust is the process (and procedure) for putting these changes Live?
Is there some measure of comfort that the techies can do this right every time? - the same questions asked another way -
How easy is it for them to cock this up? - Being pragmatic, this is the bottom line _________________ Regards
Posted: Wed Apr 23, 2008 3:01 am Post subject: Firewall rules change - considred part of change management?
Something you need to consider when deciding if the full rigor of Change Management needs to be applied is what is the risk and impact if the rule fails. For us, firewall changes follow the full CM process.
Joined: Dec 30, 2005 Posts: 21 Location: Navi Mumbai, Maharashtra, India
Posted: Thu Apr 24, 2008 10:27 pm Post subject:
The main essence of Firewall rule change is
(1) Evaluation of business benefit from the change
(2) Risk assessment of a change.
Balancing between these two decides whether the change needs to be approved or declined.
In case of Firewall rule change I propose that it must go through as Non-standard change inviting complete risk assessment of the rule change as each rule change (opening / closing of ports inward / outward for IP addresses) can have different impacts of different sizes. It can also lead to major security incidents.
To make it light weight (as it is day-to-day activity), the approval may come from Security Expert of NOC and that should be sufficient to execute the rule change. Also in addition to technical information about rule, following information must be captured for investigating if the change results into some business impact.
(With reference to Firewall rule change)
1. Originator of the change
2. Purpose (business benefit)
3. Who has done risk assessment
4. What are the risks that cannot be eliminated (residual risks)
5. When the rule has to be reset. (Many rules are created for requirement of a day or two and remain in the firewall forever).
My observation: Many times the business benefits of these rule changes are not very high as compared to the risk being invited.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum