Re: Isolating internal servers behind firewalls

[jmbreci () yahoo com]

Dan,

Good question and information.  No one can really answer this for you, you have to find out the information on your 
own...literally.

What I advise that I can give is this - are there any regulatory guidelines that you are trying to conform to?  Are 
there any critical assets that you want/need to protect?  What security policies do you have in place and are they 
relevant to this discussion?

My company has some regulatory guidelines that are forcing us to isolate some servers, workstation and general 
locations from our Corporate network.

As an example, take PCI.  One approach is to isolate all of your devices that take/handle CC information from the rest 
of your network.

Having a good set of network diagrams really helps out in planning this.  Also, with some of the items you mentioned, 
how anal are you going to be on the policies?  Are you truly going to try to block, down to the workstation, who does 
or does not have access (internally) to port 1433 on a SQL server?  How will you keep track of that?  Are you planning 
on hard-coding all of your workstations IP addresses so that you do not get hosed by a DHCP scope change?

Our vendors must attach to a completely different network than our Corporate Network.  If they need on the Corp Net, it 
is on one of our machines.  Our mobility users have to come in through a VPN.

Again, my train of thought is to segment off critical/regulatory items.  We do not have the personnel or time to 
micromanage down to the exact workstation for most things.  

With that being said, I would encourage anyone doing this to choose a different firewall vendor for any internal 
firewall projects versus the firewall that they stood up on the end points.

Hope that helps a bit.  

JB