6.) Permissive rules (rules with "ANY" and "ACCEPT," or even better, "ANY ANY ACCEPT")? If you want to be on good terms with auditors, then get rid of these. Rest assured, the security implications will soon enough deem them unacceptable. That means rules will need to be more specific and precise -- which could either be really good or really bad, depending on the size and nature of your existing base (see items 9 and 10).
5.) A user is requesting a change for a new rule, but the firewall guy can't tell if that traffic is already allowed, and has 30 other things to do so he simply adds the new rule with the intention of reviewing it later. Can you guess how the story ends?
4.) Process? Documentation? Authorization? Just how quickly does the CEO need network access?
3.) "You want a rule usage report for firewalls protecting the 50 Web servers in Sacramento? WHAT 50 Web servers in Sacramento?"
2.) "What do you mean the quarterly PCI reports are now MY responsibility?"
1.) It's 3 p.m. and his manager wants to know if all 200 firewalls (with at least 250 rules per firewall) from multiple vendors across six countries are in compliance with seven distinct regulations, two of which are regulations from different countries that contradict each other. And he wants to know by the end of the day.
Operations people are a noble lot. They deal first-hand with the never-ending network complexity, and because their triumphs are measured in disasters avoided, they are therefore rarely, if ever publicly acknowledged.
So, before you deny their request to attend Black Hat/DefCon this summer, re-read this list for a reminder of how much they add to the organization. And then "Any, Any, Any, Accept" the request.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.