Re: Isolating internal servers behind firewalls

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2007-05-07 Dan Lynch wrote:
> I'm looking for opinions on internal enterprise network firewalling.
> Our environment is almost exclusively Microsoft Active
> Directory-based. There are general purpose file servers, AD domain
> controllers, SMS servers, Exchange servers, and MS-SQL-based datase
> app servers. In all about 80+ servers for over 2500 users on about
> 2000 client machines, all running Windows XP. 
>
> How prevalent is it to segregate internal use servers away from
> internal clients behind firewalls? What benefits might we gain from
> the practice? What threats are we protected from?

What you gain in every case is increased complexity of your network
infrastructure. What you gain in addition to that depends on your
requirements and network topology. I'll list a couple things you might
gain if the preconditions apply to your situation:

- Network segmentation helps with privilege separation. Only the users
  who need to access a specific server are able/allowed to access that
  server.
- Exposing only the ports needed on your LAN prevents misconfigured
  services from being exploited. (Personally I consider this a weak
  argument, though, because someone who fails at configuring services
  will also fail at configuring firewalls.)
- Servers that are needed only by other servers, but not by client PCs,
  can be shielded from access from the LAN.

> The firewall/security group argues that servers and clients should
> exist in separate security zones, and that consolidating servers
> behind firewalls allows us to 
> - Control which clients connect to which servers on what ports

Yes.

> - Centralized administration of that network access

If set up properly: yes.

> - Centralized logging of network access

Yes. Keep in mind, though, that you'll need someone to read (and
understand) those logs, otherwise the logging would be rather pointless.

> - a single point for intrusion detection and prevention measures

That you can have just as well by plugging IDS appliance(s) into the
monitor port(s) of the switch(es) your servers are connected to. Also
keep in mind that a router as a single point for intrusion detection
also means a single point of failure for your network. You may want some
redundancy here.

> These benefits protect us from risk associated with internal attackers
> and infected mobile devices or vendor workstations.

Tho risks of infected mobile devices and vendor workstations are better
mitigated by putting these devices/boxes into a separate network
segment. As long as those devices need access to your servers, the level
of protection you can apply to your servers is limited. But you *can*
protect the other clients on your LAN.

> On the other hand, the server team counters that 
>
> - troubleshooting problems becomes more difficult

Depends. With proper configuration it doesn't become that much more
difficult. And the firewall logs may actually help with trouble-
shooting.

> - firewall restrictions on which workstations can perform
> administration makes general maintenance inconvenient, esp. in an
> emergency

Depends on your network topology. Tunneling of connections (e.g. through
SSH) may also be a solution to this issue.

> - the threats we're countering are exceedingly rare

Without knowing the threats and your current situation, this information
is pointless. You need to identify the threats, break them down into
manageable scenarios, and find countermeasures for each scenario. Also
you need to take into consideration not only how frequent an attack may
be, but also what a successful attack will cost you, and what its worth
to the attacker is.

> - a broken (or hacked) firewall config breaks all access to servers if
> consolidated behind firewalls 

True, but your worst case then would be the situation you currently
have, no? That's no reason not to apply a countermeasures if the
countermeasure would mitigate an attack scenario (and not raise
significant additional risks).

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq