Search
Topics
  Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Feedback
· Forums
· Search
· Statistics
· Surveys
· Top
· Topics
· Web Links
· Your_Account

Current Membership

Latest: SRVP
New Today: 20
New Yesterday: 70
Overall: 146119

People Online:
Visitors: 67
Members: 3
Total: 70 .

Languages
Select Interface Language:


Major ITIL Portals
For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone

Related Resources
Service related resources
Service Level Agreement
Outsourcing

Note: ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.


The Itil Community Forum: Forums

ITIL :: View topic - Firewall rules change - considred part of change management?
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Firewall rules change - considred part of change management?

 
Post new topic   Reply to topic    ITIL Forum Index -> Change Management
View previous topic :: View next topic  
Author Message
x95zsk
Newbie
Newbie


Joined: Apr 17, 2008
Posts: 1
Location: Toronto, Canada

PostPosted: Fri Apr 18, 2008 3:41 am    Post subject: Firewall rules change - considred part of change management? Reply with quote

Hi All,

I have a questions for all.

At my company - Firewall rule changes must go through change management. What I mean by firewall rule changes, opening/closing ports via command line in Cisco.

The networking team wants to move firewall rule as a day to day operation meaning they do not want to make it go through the change process and do not have to make changes.

What is it in your company? If it is operational - not going through change management - how does it get tracked? via service request? what are the risk of it not going through change management?

Thanks.

Johan
Back to top
View user's profile
BigYounks
Newbie
Newbie


Joined: Jul 24, 2007
Posts: 3

PostPosted: Fri Apr 18, 2008 4:59 am    Post subject: Reply with quote

Johan,
Just my 2 cents (which are probably worth less now from an US currency standpoint) if you are making a change to a CI, especially if it's in production, I would personally want that to go through Change Mgt no matter how small the change is if for nothing more than to ensure that it is an approved change.

Regards,

Dave Younker
Problem Mgr, Maritz Inc
Back to top
View user's profile
Mark-OLoughlin
Senior Itiler


Joined: Oct 12, 2007
Posts: 306
Location: Ireland

PostPosted: Fri Apr 18, 2008 5:50 am    Post subject: Reply with quote

Hi,

firewall rules have the potential to bring down a lot of IT systems if they are implemented wrong - doe sit happen - yes and more often that is should.

I would insist that all firewal rules go through change management. The level at which they go through CM is for you to decide based on possible impact.

I understand the firewall team wanting to take these changes out of change control but the decision shoul dnot be theirs to take as the impact of things going wrong with firewall rules can be hugh in both disruption and possible financial effects.
_________________
Mark O'Loughlin
ITSM / ITIL Consultant
Back to top
View user's profile
dboylan
Senior Itiler


Joined: Jan 03, 2007
Posts: 189
Location: Redmond, WA

PostPosted: Fri Apr 18, 2008 5:50 am    Post subject: Reply with quote

Johan,

Are the firewall rules documented somewhere? If so, I would consider that document of critical importance since it would be key to rebuilding your firewall if you had to build it from scratch. As a critical document supporting your infrastructure, it should be considered a CI.

Any document in the CMDB should be under strict version control. The change of a version of a CI would be an attribute I would want to be under Change Management. So yes, even though the change to the firewall rules might not be an attribute you track as part of the firewall's CI, the change to your documentation would need to be under Change Management.

Don
Back to top
View user's profile
UKVIKING
Senior Itiler


Joined: Sep 16, 2006
Posts: 3313
Location: London, UK

PostPosted: Fri Apr 18, 2008 6:31 am    Post subject: Reply with quote

All our network changes to include firewall rules go through change management process

we use a release tool to push the rules automaticaly to the firewall

we also have a risk department for before

and

a q&a department to make sure what was requested was what was done
_________________
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter
Back to top
View user's profile
asrilrm
Senior Itiler


Joined: Oct 07, 2007
Posts: 441
Location: Jakarta, INA

PostPosted: Fri Apr 18, 2008 10:48 am    Post subject: Reply with quote

Folks,

I think everybody should know that every change to a CI should go through Change Management.

I guess Johan's concern is more about real life application
For a daily basis ops, would he:
1. Raise a RFC
2. Wait for approval from Change Manager/Coordinator
3. Execute the move?

or any other simpler way? (standard change, as I currently set in my office)

Cheers,
Asril
Back to top
View user's profile
Ed
Senior Itiler


Joined: Feb 28, 2006
Posts: 411
Location: Coventry, England

PostPosted: Fri Apr 18, 2008 4:34 pm    Post subject: Reply with quote

It would seem that everyone is in agreement

Johan

My advice would be - keep the Change covered by Change Management! The possiblility exists to cover this via a Standard Change, thereby giving your Network team what they want - less 'interference' in what they do and when they do it, and giving you what you want visibility, accountability, and control.

The questions to ask here are
How robust is the process (and procedure) for putting these changes Live?
Is there some measure of comfort that the techies can do this right every time? - the same questions asked another way -
How easy is it for them to cock this up? - Being pragmatic, this is the bottom line
_________________
Regards

Ed
Back to top
View user's profile
Dot
Newbie
Newbie


Joined: Apr 21, 2008
Posts: 1

PostPosted: Wed Apr 23, 2008 3:01 am    Post subject: Firewall rules change - considred part of change management? Reply with quote

Hi Johan,

Something you need to consider when deciding if the full rigor of Change Management needs to be applied is what is the risk and impact if the rule fails. For us, firewall changes follow the full CM process.

Dorothy
Back to top
View user's profile
mredekar
Itiler


Joined: Dec 30, 2005
Posts: 21
Location: Navi Mumbai, Maharashtra, India

PostPosted: Thu Apr 24, 2008 10:27 pm    Post subject: Reply with quote

Hi,
The main essence of Firewall rule change is
(1) Evaluation of business benefit from the change
(2) Risk assessment of a change.
Balancing between these two decides whether the change needs to be approved or declined.

In case of Firewall rule change I propose that it must go through as Non-standard change inviting complete risk assessment of the rule change as each rule change (opening / closing of ports inward / outward for IP addresses) can have different impacts of different sizes. It can also lead to major security incidents.

To make it light weight (as it is day-to-day activity), the approval may come from Security Expert of NOC and that should be sufficient to execute the rule change. Also in addition to technical information about rule, following information must be captured for investigating if the change results into some business impact.
(With reference to Firewall rule change)
1. Originator of the change
2. Purpose (business benefit)
3. Who has done risk assessment
4. What are the risks that cannot be eliminated (residual risks)
5. When the rule has to be reset. (Many rules are created for requirement of a day or two and remain in the firewall forever).

My observation: Many times the business benefits of these rule changes are not very high as compared to the risk being invited.

Regards,
_________________
Senior Consultant - ITSM
Certified ITIL V3 Expert
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    ITIL Forum Index -> Change Management All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.8 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

Logos/trademarks property of respective owner. Comments property of poster. Rest 2004 Itil Community for Service Management & Foundation Certification. SV
Site source copyright (c)2003, and is Free Software under the GNU / GPL licence. All Rights Are Reserved.