Re: Isolating internal servers behind firewalls

[Facekhan <facekhan () gmail com>]

The network group is basically wanting to take over responsibility for 
securing the servers because access to the servers depends on their 
infrastructure therefore they would have the final say on sever 
security. That is certainly not what the server group wants and if admin 
groups cannot  be in charge of their own security implementation  then 
it should fall on a specialized security group and not on the network 
group.

One more reason for segregating the servers is that many if not all of 
them have no need for internet access and there is a security benefit in 
blocking internet access to those servers that have no need. This could 
be done from the main gateway firewall though.

If there is good communication between the network and server teams such 
a setup is not a big deal, particularly if a default admin is account is 
used for the servers. If authorized users are given administrative 
privileges and there is no default remote administrator account on 
production servers then using a firewall to block access to them is 
overkill. It comes down to the server administrators being able to 
manage the security of their own equipment.


Also are they planning to restrict to a management subnet or vlan or by 
individual management hosts or what? If you already have user-level 
security then machine level just means that users and administrators are 
tied to their PC's and having to ask the network team to open access to 
servers for the server administrators does not make sense as a policy.

It makes sense to put servers on their own subnet, but I would suggest 
that if adequate AD security precautions are taken to limit user level 
access to servers/resources they have no need for, then installing a 
default deny firewall in between users and servers is not really worth 
it. Now it might be a good idea to install a Network Intrusion detection 
system within the server's network for internal security auditing. 

Also do you really want to limit throughput between file servers and 
users when security is better handled by the server administrators.


Jason



Dan Lynch wrote:
> Greetings list,
>
> I'm looking for opinions on internal enterprise network firewalling. Our
> environment is almost exclusively Microsoft Active Directory-based.
> There are general purpose file servers, AD domain controllers, SMS
> servers, Exchange servers, and MS-SQL-based datase app servers. In all
> about 80+ servers for over 2500 users on about 2000 client machines, all
> running Windows XP. 
>
> How prevalent is it to segregate internal use servers away from internal
> clients behind firewalls? What benefits might we gain from the practice?
> What threats are we protected from?
>
> The firewall/security group argues that servers and clients should exist
> in separate security zones, and that consolidating servers behind
> firewalls allows us to 
> - Control which clients connect to which servers on what ports
> - Centralized administration of that network access
> - Centralized logging of network access
> - a single point for intrusion detection and prevention measures
>
> These benefits protect us from risk associated with internal attackers
> and infected mobile devices or vendor workstations.
>
> On the other hand, the server team counters that 
>
> - troubleshooting problems becomes more difficult 
> - firewall restrictions on which workstations can perform administration
> makes general maintenance inconvenient, esp. in an emergency
> - the threats we're countering are exceedingly rare
> - a broken (or hacked) firewall config breaks all access to servers if
> consolidated behind firewalls 
>
> Any and all thoughts are appreciated.
>
>
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> Auburn, CA
>
>
>