Firewall Wizards mailing list archives
Re: Isolating internal servers behind firewalls
From: Bill Stout <billbrietstout () yahoo com>
Date: Wed, 12 Sep 2007 14:27:48 -0700 (PDT)
----- Original Message ---- From: Dan Lynch <DLynch () placer ca gov> To: firewall-wizards () listserv icsalabs com Sent: Monday, May 7, 2007 12:35:25 PM
Wow your system date is way off...
How prevalent is it to segregate internal use servers away from internal clients behind firewalls? What benefits might we gain from the practice? What threats are we protected from?
Your Law Enforcement side of the network may have services running on the server that you don't want your non-LE people accessing, such as MS-SQL, IIS/Sharepoint, FTP, RDP, etc. Although your share may not necessarily benefit, you could protect the other services, and against things like 135/RPC or 1433/SQL worms if they reappear. A firewall would reduce the number of entry points or at least trim your threat modeling threat tree. Granted there are ways to attack a system via NetBIOS/SMB, the guys working for the county may not possess the skills necessary to exploit 137-139/445 or know what to do next. There probably not a lot of CISSP qualified individuals up in them hills in the first place, which makes you a rarity.
The firewall/security group argues that servers and clients should exist in separate security zones, and that consolidating servers behind firewalls allows us to - Control which clients connect to which servers on what ports - Centralized administration of that network access - Centralized logging of network access - a single point for intrusion detection and prevention measures
A firewall would also provide you with event logs and timestamps for what IP tried to access what service. When access alerts pop-up, immediately asking a inquisitive user "what are you doing?" if effective at reducing future access attempts. You have the benefit of asking a uniform to walk with you for effect.
These benefits protect us from risk associated with internal attackers and infected mobile devices or vendor workstations. On the other hand, the server team counters that - troubleshooting problems becomes more difficult - firewall restrictions on which workstations can perform administration makes general maintenance inconvenient, esp. in an emergency
Not necessarily, permit rules can allow free access from a sysadmin IP range or specific IPs.
- the threats we're countering are exceedingly rare
Because technical enforcement of policy is becoming more effective. If we become complacent, the trend will reverse.
- a broken (or hacked) firewall config breaks all access to servers if consolidated behind firewalls
More likely tripping over a cable an on/off switch error, but yes, a firewall failure should shut off access. I believe you're a Nokia/Checkpoint environment, so you might want to check into their stateful filters for NetBIOS. Since NetBIOS is noisy, logging NetBIOS access may not be feasible, though you could still log other service access. Bill Stout _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices, (continued)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Robby Cauwerts (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Michael Cox (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPNdevices Behm, Jeffrey L. (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Brett Cunningham (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Joe S (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices robbie . jacka (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Anthony (Sep 27)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices robbie . jacka (Sep 27)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Julian M. Dragut (Sep 27)