Re: [fw-wiz] Isolating internal servers behind firewalls






From: Dan Lynch
Sent: Monday, May 07, 2007 3:35 PM


How prevalent is it to segregate internal use servers away
from internal
clients behind firewalls? What benefits might we gain from
the practice?
What threats are we protected from?


In my experience, having servers on a separate segment controlled by
routers/switches with ACL is the most common configuration, with appliance
firewalls segregating segments also common. You enumerate many of the
advantages.


The firewall/security group argues that servers and clients
should exist
in separate security zones, and that consolidating servers behind
firewalls allows us to
- Control which clients connect to which servers on what ports
- Centralized administration of that network access
- Centralized logging of network access
- a single point for intrusion detection and prevention measures

These benefits protect us from risk associated with internal attackers
and infected mobile devices or vendor workstations.


Counter arguments to disadvantages below.


On the other hand, the server team counters that

- troubleshooting problems becomes more difficult

Actually segregation will ease troubleshooting, since traffic is monitored and
should be logged. Since both domain controllers and application servers are on
the same segment, the only traffic across the internal firewall should be client
access to these servers.


- firewall restrictions on which workstations can perform
administration
makes general maintenance inconvenient, esp. in an emergency


If you have proper change control management, this should not be a problem.
In fact, a good firewall helps guarantee controlled change by ensuring
documentation of all changes to server configurations. During an emergency, you
don't want uncontrolled changes which could make emergency worse.

- the threats we're countering are exceedingly rare

Internal threats are the most common kind, more often mistakes rather than
vicious, but causing damage just the same.



- a broken (or hacked) firewall config breaks all access to servers if
consolidated behind firewalls

No more so than a broken or hacked server configuration. The same problem of
blocked access happens if routing is broken as well, so it really is a non
issue.


Any and all thoughts are appreciated.


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: Pros and against using Multiple firewalls in a network running on Win2k Advanced server.(repost.
    ... Pros and against using Multiple firewalls in a network running on Win2k Advanced server.(repost.. ... gateway and filter the access from/to the internal networks to the servers ... > have no website or web services other than Internet access and e-mail. ...
    (Focus-Microsoft)
  • Re: Pros and against using Multiple firewalls in a network running on Win2k Advanced server.(repost.
    ... Pros and against using Multiple firewalls in a network running on Win2k Advanced server.(repost.. ... In the workstations and the other servers, a good AV with daily updates will do ...
    (Focus-Microsoft)
  • [fw-wiz] Isolating internal servers behind firewalls
    ... I'm looking for opinions on internal enterprise network firewalling. ... There are general purpose file servers, AD domain controllers, SMS ... clients behind firewalls? ... The firewall/security group argues that servers and clients should exist ...
    (Firewall-Wizards)
  • RE: host-based ids evaluation
    ... But for servers, many people don't like using features like autoblocking or ... host-based firewalls because it could cause additional performance ... Static Firewall rules do not prevent binding of programs to certain ports ... but I am not sure if some processes could be hidden from netstat. ...
    (Focus-IDS)
  • Re: Win2000 server firewall?
    ... The NAT router will provide a lot of protection but I hoped you sprung for ... The problem with firewalls on servers, ... Beyond firewalls read other suggestions in the security guide and be sure to ... >behind a NAT router that provides internet access to the clients. ...
    (microsoft.public.windows.server.security)