Re: [fw-wiz] Isolating internal servers behind firewalls

I'd agree with both view points :-)
Which way you go, depends on what your priorities are.

However, [a] I reckon that trouble shooting is easier if you know
whats going on in your network. The firewall logs will usually help in
this, not hinder you.
[b] most threats are very rare, doesn't mean that you should ignore them all.

sai

On 5/8/07, Dan Lynch <DLynch@xxxxxxxxxxxxx> wrote:
Greetings list,

I'm looking for opinions on internal enterprise network firewalling. Our
environment is almost exclusively Microsoft Active Directory-based.
There are general purpose file servers, AD domain controllers, SMS
servers, Exchange servers, and MS-SQL-based datase app servers. In all
about 80+ servers for over 2500 users on about 2000 client machines, all
running Windows XP.

How prevalent is it to segregate internal use servers away from internal
clients behind firewalls? What benefits might we gain from the practice?
What threats are we protected from?

The firewall/security group argues that servers and clients should exist
in separate security zones, and that consolidating servers behind
firewalls allows us to
- Control which clients connect to which servers on what ports
- Centralized administration of that network access
- Centralized logging of network access
- a single point for intrusion detection and prevention measures

These benefits protect us from risk associated with internal attackers
and infected mobile devices or vendor workstations.

On the other hand, the server team counters that

- troubleshooting problems becomes more difficult
- firewall restrictions on which workstations can perform administration
makes general maintenance inconvenient, esp. in an emergency
- the threats we're countering are exceedingly rare
- a broken (or hacked) firewall config breaks all access to servers if
consolidated behind firewalls

Any and all thoughts are appreciated.


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: [fw-wiz] Isolating internal servers behind firewalls
    ... We have a cisco firewall services module that we us for our head ... So, for a given network, you can move ... There are general purpose file servers, AD domain controllers, SMS ... The firewall/security group argues that servers and clients should exist ...
    (Firewall-Wizards)
  • Re: AD what tcp/ip port or registry settings?
    ... ICMP packets over a given size and/or you might have other devices setup to ... point to the same DNS servers) ... >> We have our domains controlers behind the firewall. ... >> OPENED PORTS ON THE FIREWALL seperating clients and servers. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Slow user logon on Terminal server after migration to Windows 2003
    ... The Terminal Servers are 2000 or 2003. ... "Inside the firewall zone" means that the Citrix Servers have a firewall ... available RPC ports? ...
    (microsoft.public.windows.server.active_directory)
  • Re: medical records, web server, & stateful firewall vs packet filter
    ... > image and SQL servers directly (the image server link in particular ... The image and SQL servers ... the 2 firewall layers should run different s/ware - the idea is that a major ... security always cost a lot more than you expect (this comes up whenever we ...
    (comp.dcom.sys.cisco)
  • Re: I have been hacked (WAS: Have I been hacked or is nmap wrong?)
    ... > console based ftp client. ... the FTP servers have? ... > They are really mail servers, at least smtp for outgoing mails ... If you're firewall was dropping incoming packets destined to ...
    (freebsd-questions)