On Mon, Apr 21, 2014 at 9:32 AM, Lee Howard <Lee@asgard.org> wrote:
You're describing best practice. Yes, of course, you should have well documented technical and business needs for what's open and what's closed in firewalls, and should have traceability from the rules in place to the requirements, and be able to walk the rules and understand them and reinterpret them from v4 to v6, to a new firewall vendor, etc etc.
Yes. Any publicly-traded company will have this because their auditors require it. I would think that companies without this documentation are probably not ready to deploy a new protocol. I concede that tracing the rules to the requirements is a hard one in practice (and a PITA in operational practice), but I don't think it's required to be able to map IPv4 rules to IPv6 rules.
I'm not making noise to be remembered on the lists as a pissed off
You would think that any publicly-traded or sufficiently large or high profile company would have that because their auditors should require that. Yes, that's a reasonable assertion and hope. I regret to inform the discussion that it's a forlorn hope in a number of actual real world organizations. troublemaker. I've been doing enterprise IT consulting since the early 1990s, and am relaying what the state of reality is, and attempting to get people at various levels to deal with that rather than assume higher levels of competence than are really out there... -- -george william herbert george.herbert@gmail.com