Site System Administration

A firewall is not an excuse to pay less attention to site system administration. It is in fact the opposite: if a firewall is penetrated, a poorly administered site could be wide-open to intrusions and resultant damage. A firewall in no way reduces the need for highly skilled system administration.

At the same time, a firewall can permit a site to be ``proactive'' in its system administration as opposed to reactive. Because the firewall provides a barrier, sites can spend more time on system administration duties and less time reacting to incidents and damage control. It is recommended that sites

• standardize operating system versions and software to make installation of patches and security fixes more manageable,

• institute a program for efficient, site-wide installation of patches and new software,

• use services to assist in centralizing system administration, if this will result in better administration and better security,

• perform periodic scans and checks of host systems to detect common vulnerabilities and errors in configuration, and

• ensure that a communications pathway exists between system administrators and firewall/site security administrators to alert the site about new security problems, alerts, patches, and other security-related information.