Re: [fw-wiz] Isolating internal servers behind firewalls

From: Dan Lynch
Sent: Monday, May 07, 2007 3:35 PM

How prevalent is it to segregate internal use servers away
from internal
clients behind firewalls? What benefits might we gain from
the practice?
What threats are we protected from?

In my experience, having servers on a separate segment controlled by
routers/switches with ACL is the most common configuration, with appliance
firewalls segregating segments also common. You enumerate many of the

The firewall/security group argues that servers and clients
should exist
in separate security zones, and that consolidating servers behind
firewalls allows us to
- Control which clients connect to which servers on what ports
- Centralized administration of that network access
- Centralized logging of network access
- a single point for intrusion detection and prevention measures

These benefits protect us from risk associated with internal attackers
and infected mobile devices or vendor workstations.

Counter arguments to disadvantages below.

On the other hand, the server team counters that

- troubleshooting problems becomes more difficult

Actually segregation will ease troubleshooting, since traffic is monitored and
should be logged. Since both domain controllers and application servers are on
the same segment, the only traffic across the internal firewall should be client
access to these servers.

- firewall restrictions on which workstations can perform
makes general maintenance inconvenient, esp. in an emergency

If you have proper change control management, this should not be a problem.
In fact, a good firewall helps guarantee controlled change by ensuring
documentation of all changes to server configurations. During an emergency, you
don't want uncontrolled changes which could make emergency worse.

- the threats we're countering are exceedingly rare

Internal threats are the most common kind, more often mistakes rather than
vicious, but causing damage just the same.

- a broken (or hacked) firewall config breaks all access to servers if
consolidated behind firewalls

No more so than a broken or hacked server configuration. The same problem of
blocked access happens if routing is broken as well, so it really is a non

Any and all thoughts are appreciated.

Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

firewall-wizards mailing list

Relevant Pages