Firewall Wizards mailing list archives
Re: Isolating internal servers behind firewalls
From: jason () tacorp com
Date: Sun, 9 Sep 2007 13:11:33 -0400 (EDT)
Dan, This is something our organization has just begun doing. We are a state university that has student users on the inside of the network and we have some of the same fears. After we began designing it we realized it was actually easier than it sounds. We have a cisco firewall services module that we us for our head end. We simply just created another context on this unit but the key was that it can be done in 'transparent mode' which actually bridges the interfaces instead of routing them. So, for a given network, you can move a machine behind a firewall and not even have to renumber it. If it doesn't work, patch it back to the other side and go find out what was wrong. It's as simple as having 1 vlan that's not protected and 1 vlan that's protected. If you can clearly define your services into roles and create clean object-groups out of them, it's easy enough to drop a server into a role then move it to the other vlan. Jason Mishka - "I'm like a Subway in a land of McDonalds..." On Mon, 7 May 2007, Dan Lynch wrote:
Greetings list, I'm looking for opinions on internal enterprise network firewalling. Our environment is almost exclusively Microsoft Active Directory-based. There are general purpose file servers, AD domain controllers, SMS servers, Exchange servers, and MS-SQL-based datase app servers. In all about 80+ servers for over 2500 users on about 2000 client machines, all running Windows XP. How prevalent is it to segregate internal use servers away from internal clients behind firewalls? What benefits might we gain from the practice? What threats are we protected from? The firewall/security group argues that servers and clients should exist in separate security zones, and that consolidating servers behind firewalls allows us to - Control which clients connect to which servers on what ports - Centralized administration of that network access - Centralized logging of network access - a single point for intrusion detection and prevention measures These benefits protect us from risk associated with internal attackers and infected mobile devices or vendor workstations. On the other hand, the server team counters that - troubleshooting problems becomes more difficult - firewall restrictions on which workstations can perform administration makes general maintenance inconvenient, esp. in an emergency - the threats we're countering are exceedingly rare - a broken (or hacked) firewall config breaks all access to servers if consolidated behind firewalls Any and all thoughts are appreciated. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Isolating internal servers behind firewalls Dan Lynch (Sep 08)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 10)
- Re: Isolating internal servers behind firewalls ArkanoiD (Sep 10)
- Re: Isolating internal servers behind firewalls Marcus J. Ranum (Sep 10)
- Re: Isolating internal servers behind firewalls dlang (Sep 10)
- Re: Isolating internal servers behind firewalls L Cubed (Sep 10)
- Re: Isolating internal servers behind firewalls ArkanoiD (Sep 10)
- Re: Isolating internal servers behind firewalls Bill Royds (Sep 10)
- Re: Isolating internal servers behind firewalls Marcin Antkiewicz (Sep 10)
- Re: Isolating internal servers behind firewalls jason (Sep 10)
- Re: Isolating internal servers behind firewalls K K (Sep 10)
- Re: Isolating internal servers behind firewalls sai (Sep 10)
- Re: Isolating internal servers behind firewalls Timothy Shea (Sep 10)
- Re: Isolating internal servers behind firewalls D Sharp (Sep 11)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 12)
- Re: Isolating internal servers behind firewalls D Sharp (Sep 13)
- Issue with replacing SonicWall VPN with Cisco ASA VPN devices Behm, Jeffrey L. (Sep 25)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Brett Cunningham (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Michael Cox (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Robby Cauwerts (Sep 26)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 12)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 10)