Re: [fw-wiz] Firewall Placement Question

I wonder about the labor required to pull this off for almost 200 servers
(and Microsoft applications are a bitch). I fear it will be hell to
manage all the excpetions, ie. one user in a different building needs
access to a few administrative ports. Not to mention that after it's done
we'll spend days trying to work out the bugs of things that 'should just
work' and effects of application upgrades that change ports.

You need to talk to your peers at other universities of simmilar size. I
used to admin firewall for a simmilar sized institution (judging by the
200 servers number), but they treated inside of their network as hostile
environment, and required people to yield control and use internal
firewall, arm themselves, or wait and suffer without complaining.

There were two firewalls, one took care of external links, plus internet
related DMZs, the other protected ERP, cash, library systems, and whatever
offices requested separation from the wide open inside, and agreed to be
bound by the standard policy and SALs.

Marcin Antkiewicz
firewall-wizards mailing list