Security Basics mailing list archives
Re: Isolating internal servers behind firewalls
From: jmbreci () yahoo com
Date: 8 May 2007 14:59:37 -0000
Dan, Good question and information. No one can really answer this for you, you have to find out the information on your own...literally. What I advise that I can give is this - are there any regulatory guidelines that you are trying to conform to? Are there any critical assets that you want/need to protect? What security policies do you have in place and are they relevant to this discussion? My company has some regulatory guidelines that are forcing us to isolate some servers, workstation and general locations from our Corporate network. As an example, take PCI. One approach is to isolate all of your devices that take/handle CC information from the rest of your network. Having a good set of network diagrams really helps out in planning this. Also, with some of the items you mentioned, how anal are you going to be on the policies? Are you truly going to try to block, down to the workstation, who does or does not have access (internally) to port 1433 on a SQL server? How will you keep track of that? Are you planning on hard-coding all of your workstations IP addresses so that you do not get hosed by a DHCP scope change? Our vendors must attach to a completely different network than our Corporate Network. If they need on the Corp Net, it is on one of our machines. Our mobility users have to come in through a VPN. Again, my train of thought is to segment off critical/regulatory items. We do not have the personnel or time to micromanage down to the exact workstation for most things. With that being said, I would encourage anyone doing this to choose a different firewall vendor for any internal firewall projects versus the firewall that they stood up on the end points. Hope that helps a bit. JB
Current thread:
- Isolating internal servers behind firewalls Dan Lynch (May 07)
- Re: Isolating internal servers behind firewalls Ansgar -59cobalt- Wiechers (May 08)
- Re: Isolating internal servers behind firewalls Facekhan (May 08)
- <Possible follow-ups>
- Re: Isolating internal servers behind firewalls jmbreci (May 08)
- Re: Isolating internal servers behind firewalls jmbreci (May 09)