Firewall Wizards mailing list archives
Re: Isolating internal servers behind firewalls
From: "Behm, Jeffrey L." <BehmJL () bv com>
Date: Mon, 10 Sep 2007 08:09:17 -0500
You may end up opening up so much stuff in the firewall(s) that they pretty much become swiss cheese anyways. And much of the stuff you would open up, would be the same things that would be used as an attack vector. How many new exploits come in via chargen nowadays, which you could block vs. how many come in via Microsoft networking (Ports 445, 137, 139, etc.), which you would have open, if you want file shares to work. If you find you have a hacked firewall, you have much bigger problems than broken access from clients to servers. That centralized maintenance the security group wants *can* be a pain in the rearend, depending on how dynamic your environment is, whether you let just anyone come in and get a DHCP address, etc. Who's watching/auditing the security group to ensure they are implementing everything correctly. That maintenance, when it does become such a pain, always gets migrated down to the low man on the totem pole, where there is a greater risk of improper implementation. I.E. You probably won't have the senior InfoSec guy implementing rules for individual users/machines; That's the new guy's job, and Mr. BigShot doesn't have time for such menial maintenance. It's a trade-off between securing down to the gnat's-rearend at additional cost/maintenance vs. having "adequate" security at lower cost & easier maintenance. And don't forget that there's always the layer 8 requirements to deal with based on what just came out in E-Week. Jeff (Disclaimer: My opinions are my own, and do not necessarily reflect those of any other entity) On Monday, May 07, 2007 2:35 PM, Dan Lynch said: How prevalent is it to segregate internal use servers away from internal clients behind firewalls? What benefits might we gain from the practice? What threats are we protected from? The firewall/security group argues that servers and clients should exist in separate security zones, and that consolidating servers behind firewalls allows us to - Control which clients connect to which servers on what ports - Centralized administration of that network access - Centralized logging of network access - a single point for intrusion detection and prevention measures These benefits protect us from risk associated with internal attackers and infected mobile devices or vendor workstations. On the other hand, the server team counters that - troubleshooting problems becomes more difficult - firewall restrictions on which workstations can perform administration makes general maintenance inconvenient, esp. in an emergency - the threats we're countering are exceedingly rare - a broken (or hacked) firewall config breaks all access to servers if consolidated behind firewalls Any and all thoughts are appreciated. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Isolating internal servers behind firewalls Dan Lynch (Sep 08)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 10)
- Re: Isolating internal servers behind firewalls ArkanoiD (Sep 10)
- Re: Isolating internal servers behind firewalls Marcus J. Ranum (Sep 10)
- Re: Isolating internal servers behind firewalls dlang (Sep 10)
- Re: Isolating internal servers behind firewalls L Cubed (Sep 10)
- Re: Isolating internal servers behind firewalls ArkanoiD (Sep 10)
- Re: Isolating internal servers behind firewalls Bill Royds (Sep 10)
- Re: Isolating internal servers behind firewalls Marcin Antkiewicz (Sep 10)
- Re: Isolating internal servers behind firewalls jason (Sep 10)
- Re: Isolating internal servers behind firewalls K K (Sep 10)
- Re: Isolating internal servers behind firewalls sai (Sep 10)
- Re: Isolating internal servers behind firewalls Timothy Shea (Sep 10)
(Thread continues...)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 10)