Submission + - Documenting Firewall Rulesets ?
An anonymous reader writes: I have a substantial amount of experience on "both sides of the firewall" and to date have used my knowledge and experience as wisely as possible. For much of the past decade I have been the primary administrator of an enterprise class firewall for a fairly large entity, having designed and built the current infrastructure from the initial installs. The firewall ruleset has grown quite large with our ever increasing dependence on internet connectivity and now supports several dozen DMZ resident systems as well as hundreds of site to site VPNs. We use an industry leader, enterprise class firewall, which allows central management of multiple enforcement points and does a nice job of self-documentation within the management console. I am now being asked by upper management to extract the detailed ruleset configuration from the safety of the management console and publish this information to an "internal document" which will be available to corporate resources other than the small team changed with firewall administration. It was offered that we can document the process of obtaining this information through the firewall management interface, but this was rejected and upper management is insisting that we publish every detail of the firewall ruleset to a shared directory on our network. Am I the only one that thinks this is a horrible idea and a potentially serious security issue? Can anyone provide any "best practices" documentation to support either side of the issue? I'm having real concerns with simply handing over the security information that I've spent many years protecting to those who may not understand the potential problems in publishing this data.