Unfortunately, we now have another reason to show why your firewall (or any other security device, IMHO)should be the only software running on a particular machine, other than the OS.
Unfortunately, in these days of consolidation and price sharing, nobody seems to be listening. I don't know how many requests I get a week from different people asking for different software to be installed on the firewalls ("Can we make the firewall a DNS server? SMTP server? NTP server?")
This also highlights another thing we in the security industry should be worried about: Bugs in code. With packages such as checkpoint becoming larger and larger, it is getting harder to keep track of the internals of exactly what is happening inside these security products. While it probably isn't feasible, it would be nice to have some sort of outside auditing done on the code, as a sanity check. Heck, open source it.:)
Also, this may make people take a closer look at firewall appliances such as the nokia. Having something that is pretty much a dedicated firewall solution (aka, stripped down OS, running nothing else but firewall) becomes more attractive.
So, the recipe for a good firewall is:
1) Install OS 2) De-install everything not needed to let the box run. 3) Harden OS (also, take a look at known security bugs for the OS you are running, it may save you grief in the long run). 4) Install firewall code. If you don't need some portion of the firewall, don't install/activate it! Also, RTFM. The release notes and web pages of the companies involved can save you trouble in the long run.
Of course, you need a little more than this to develop true 'network security', but this will at least help you get the firewall portion right.....
Unfortunately, there is no good answer for a ratio of support personell to users. It seems that more IT managers seem to cut down on support people in an order to cut costs, but then don't understand why they have such a morale problem and a high turnover rate.
There are a couple of things you can do to make your life easier, however.
1) Layering. Have a "front line" that takes all the easy calls/emails (pw's, etc) so that the more experienced people can work on actual problems (like servers/networks being down).
2) Education/documentation. Enable the users to help themselves. If they can go to a web page and get some instructions on how to change their password, how to make sure their browser is set up right, or whatever you seem to be getting a lot of calls in, it will decrease the number of calls you get on those issues.
3) Express yourself to your manager. Make him/her understand (without being threatening) that people in your department are unhappy. It would also help if you went to him en-masse, one person bringing concerns doesn't have the same effect as many people bringing him concerns. In the long run, is it more useful to get more people on and retain them for longer, or easier just to train new people as old ones leave?
Good luck. I was in your position once, and finally ended up having to leave. I hear it is much better at the job now, but sometimes it takes people leaving to get the point across.
Slashdot Mirror
Unfortunately, we now have another reason to show why your firewall (or any other security device, IMHO)should be the only software running on a particular machine, other than the OS.
:)
Unfortunately, in these days of consolidation and price sharing, nobody seems to be listening. I don't know how many requests I get a week from different people asking for different software to be installed on the firewalls ("Can we make the firewall a DNS server? SMTP server? NTP server?")
This also highlights another thing we in the security industry should be worried about: Bugs in code. With packages such as checkpoint becoming larger and larger, it is getting harder to keep track of the internals of exactly what is happening inside these security products. While it probably isn't feasible, it would be nice to have some sort of outside auditing done on the code, as a sanity check. Heck, open source it.
Also, this may make people take a closer look at firewall appliances such as the nokia. Having something that is pretty much a dedicated firewall solution (aka, stripped down OS, running nothing else but firewall) becomes more attractive.
So, the recipe for a good firewall is:
1) Install OS
2) De-install everything not needed to let the box run.
3) Harden OS (also, take a look at known security bugs for the OS you are running, it may save you grief in the long run).
4) Install firewall code. If you don't need some portion of the firewall, don't install/activate it! Also, RTFM. The release notes and web pages of the companies involved can save you trouble in the long run.
Of course, you need a little more than this to develop true 'network security', but this will at least help you get the firewall portion right.....
--Doc
Unfortunately, there is no good answer for a ratio of support personell to users. It seems that more IT managers seem to cut down on support people in an order to cut costs, but then don't understand why they have such a morale problem and a high turnover rate.
There are a couple of things you can do to make your life easier, however.
1) Layering. Have a "front line" that takes all the easy calls/emails (pw's, etc) so that the more experienced people can work on actual problems (like servers/networks being down).
2) Education/documentation. Enable the users to help themselves. If they can go to a web page and get some instructions on how to change their password, how to make sure their browser is set up right, or whatever you seem to be getting a lot of calls in, it will decrease the number of calls you get on those issues.
3) Express yourself to your manager. Make him/her understand (without being threatening) that people in your department are unhappy. It would also help if you went to him en-masse, one person bringing concerns doesn't have the same effect as many people bringing him concerns. In the long run, is it more useful to get more people on and retain them for longer, or easier just to train new people as old ones leave?
Good luck. I was in your position once, and finally ended up having to leave. I hear it is much better at the job now, but sometimes it takes people leaving to get the point across.
--Doc