RE: Putting MS servers behind firewalls

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 8 Jun 2004, Mark Gumennik wrote:

> Keep in mind that this router (or a fw in your case) becomes a backbone
> (bottleneck) of your LAN

Not much of one in most cases, so long as the rules are organized well-
large corporations route through to the backbone anyway, and filter rules
don't have a noticable effect unless they're very poorly done (even rules
to block the camper's access to the Quake server temporarily on a core
7513 routing ~12 floors of people, or so I've been told...)

Heck, my home firewall will pass 2Gb/s of traffic, and it's sitting on a
10/100 LAN- bottlenecking is not that much of a problem these days.

You should worry if you get a great deal of latency added, but other than
in GigE environments, and places that have serious broadcast issues
anyway, I haven't seen a real firewall or router bottleneck in about 6
years that couldn't be dealt with by having some good rule ordering.

> Best of all just put Exchange bridgehead behind a fw (DMZ), open port 25 to
> it and put all AD servers on a regular LAN

You can put the IMCs on different servers- but probably the original
poster is trying to protect infrastructure from compromised internal
hosts- which is a more difficult nut to crack.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards