Security Basics mailing list archives
Re: Isolating internal servers behind firewalls
From: Facekhan <facekhan () gmail com>
Date: Mon, 07 May 2007 19:08:24 -0400
The network group is basically wanting to take over responsibility for securing the servers because access to the servers depends on their infrastructure therefore they would have the final say on sever security. That is certainly not what the server group wants and if admin groups cannot be in charge of their own security implementation then it should fall on a specialized security group and not on the network group.
One more reason for segregating the servers is that many if not all of them have no need for internet access and there is a security benefit in blocking internet access to those servers that have no need. This could be done from the main gateway firewall though.
If there is good communication between the network and server teams such a setup is not a big deal, particularly if a default admin is account is used for the servers. If authorized users are given administrative privileges and there is no default remote administrator account on production servers then using a firewall to block access to them is overkill. It comes down to the server administrators being able to manage the security of their own equipment.
Also are they planning to restrict to a management subnet or vlan or by individual management hosts or what? If you already have user-level security then machine level just means that users and administrators are tied to their PC's and having to ask the network team to open access to servers for the server administrators does not make sense as a policy.
It makes sense to put servers on their own subnet, but I would suggest that if adequate AD security precautions are taken to limit user level access to servers/resources they have no need for, then installing a default deny firewall in between users and servers is not really worth it. Now it might be a good idea to install a Network Intrusion detection system within the server's network for internal security auditing. Also do you really want to limit throughput between file servers and users when security is better handled by the server administrators.
Jason Dan Lynch wrote:
Greetings list, I'm looking for opinions on internal enterprise network firewalling. Our environment is almost exclusively Microsoft Active Directory-based. There are general purpose file servers, AD domain controllers, SMS servers, Exchange servers, and MS-SQL-based datase app servers. In all about 80+ servers for over 2500 users on about 2000 client machines, allrunning Windows XP.How prevalent is it to segregate internal use servers away from internal clients behind firewalls? What benefits might we gain from the practice? What threats are we protected from? The firewall/security group argues that servers and clients should exist in separate security zones, and that consolidating servers behindfirewalls allows us to - Control which clients connect to which servers on what ports- Centralized administration of that network access - Centralized logging of network access - a single point for intrusion detection and prevention measures These benefits protect us from risk associated with internal attackers and infected mobile devices or vendor workstations.On the other hand, the server team counters that - troubleshooting problems becomes more difficult - firewall restrictions on which workstations can perform administrationmakes general maintenance inconvenient, esp. in an emergency - the threats we're countering are exceedingly rare - a broken (or hacked) firewall config breaks all access to servers ifconsolidated behind firewallsAny and all thoughts are appreciated. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
Current thread:
- Isolating internal servers behind firewalls Dan Lynch (May 07)
- Re: Isolating internal servers behind firewalls Ansgar -59cobalt- Wiechers (May 08)
- Re: Isolating internal servers behind firewalls Facekhan (May 08)
- <Possible follow-ups>
- Re: Isolating internal servers behind firewalls jmbreci (May 08)
- Re: Isolating internal servers behind firewalls jmbreci (May 09)