I wrote a long blog post for Network Computing that ended up published in four parts. The topic was helping sysadmins understand what firewall appliances do, and therefore how best to ask for firewall assistance from those who manage them.
Firewall configurations can be astonishingly complex. Firewall administrators deserve love and respect, as making the firewall not only pass traffic, but also pass it securely, is no simple task. The more complex the security policy, the harder it is to keep the firewall running properly.
From a networking perspective, applications are unpredictable, as are application architectures. Therefore, firewall administrators are not trying to be difficult when they push back on an ambiguous firewall change request. Rather, details are absolutely critical to successfully fulfilling the request in a secure manner. This is perhaps the chief source of friction between firewall administrators and sysadmins.
During application implementation, the security team is called on to open firewall ports. The presumption is that this is a simple task. As I hope I’ve established in this series, opening ports might or might not be so simple. Asking the firewall administrator to “open these ports” is akin to a network administrator asking a sysadmin to “spin up a VM” to support a newly acquired network appliance.
Sysadmins who understand the network behavior of their applications will be better able to communicate their needs. Network and security folks have general working knowledge of protocols, but aren’t going to know intimate application details.