What is the recommended approach to configure IAM permissions for the networking team, allowing them read-only access to firewall rules while preventing creation, modification, or deletion privileges, given that firewall management is handled by a separate security team?