tag:blogger.com,1999:blog-8508935345157628191.post7372272791564504857..comments2024-03-28T21:29:25.773-07:00Comments on Phill Barber's Blog: The case for keeping firewalls simplePhill Barberhttp://www.blogger.com/profile/18399785532886246472noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-8508935345157628191.post-87136572443895450072016-04-07T02:51:55.168-07:002016-04-07T02:51:55.168-07:00If a firewall is doing stuff above layer ii then i...If a firewall is doing stuff above layer ii then it is an application service. Therefore it *should* follow all the same disciplines:<br /><br />- config under scm<br />- replicas in test envs<br />- automated deployment<br />- monitoring and logging<br />- notification to consumers of breaking changes<br />- explicit contract(s)<br />- automated tests<br /><br />Unfortunately this is often not the case with centralized ops teams. Since a system is as strong as its weakest link, your recommendation of simplifying the configuration is a good one. Otherwise if the security constraints are real then some collaboration and effort will be needed to reach a more equitable common ground.Anonymousnoreply@blogger.com