Re: [fw-wiz] Isolating internal servers behind firewalls



On Tue 9/11/2007 12:11 PM, D Sharp said:
Summary:

Can segmenting/filtering network level provide a greater level of risk reduction?

If you don't review every port request for risk, and deny
those that are risky, then you are just tracking the traffic good/bad.

Although "risky" is a relative, and not a universally defined, term, the question remains: "Is Windows file sharing risky?"

1) If one thinks Windows file sharing is risky, then that traffic to the protected servers must be denied. If it is denied, then why have Windows file servers?
2) If one thinks Windows file sharing is not risky, then I have no basis to argue the point any further.

I suppose you could prevent meltdown by blocking everything that is risky, but then you have a network that doesn't function, either.


I used to think that segmenting/filtering *could* provide a greater level of risk reduction. In a perfect environment, it could. However, in the real world, where $$$ talk, I don't believe that is the case(maybe I'm already becoming too crusty at age 42?). Environments are sometimes very dynamic, and maintenance of the environment gets pushed down to the low man/woman on the totem pole, because the senior folks are too busy fighting the fire du' jour, or designing the next big thing, and don't have time to mess with such mundane tasks as maintenance of rules. Those (less expensive folks) left to do the maintenance typically have less experience, and are more apt to make a human error when implementing the filtering rules. One typo that goes unchecked (because checking it costs even more $$$), and the firewall is wide open.

Jeff (no personal attacks were implied - hopefully it comes across that way)

<<winmail.dat>>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards