Firewall Wizards mailing list archives

Re: Isolating internal servers behind firewalls

From: "Bill Royds" <firewall () royds net>
Date: Sat, 8 Sep 2007 14:00:09 -0400

From: Dan Lynch
Sent: Monday, May 07, 2007 3:35 PM

How prevalent is it to segregate internal use servers away 
from internal
clients behind firewalls? What benefits might we gain from 
the practice?
What threats are we protected from?


  In my experience, having servers on a separate segment controlled by
routers/switches with ACL is the most common configuration, with appliance
firewalls segregating segments also common. You enumerate many of the
advantages.

The firewall/security group argues that servers and clients 
should exist
in separate security zones, and that consolidating servers behind
firewalls allows us to 
- Control which clients connect to which servers on what ports
- Centralized administration of that network access
- Centralized logging of network access
- a single point for intrusion detection and prevention measures

These benefits protect us from risk associated with internal attackers
and infected mobile devices or vendor workstations.


  Counter arguments to disadvantages below.

On the other hand, the server team counters that 

- troubleshooting problems becomes more difficult


  Actually segregation will ease troubleshooting, since traffic is monitored and
should be logged. Since both domain controllers and application servers are on
the same segment, the only traffic across the internal firewall should be client
access to these servers.

- firewall restrictions on which workstations can perform 
administration
makes general maintenance inconvenient, esp. in an emergency



   If you have proper change control management, this should not be a problem.
In fact, a good firewall helps guarantee controlled change by ensuring
documentation of all changes to server configurations. During an emergency, you
don't want uncontrolled changes which could make emergency worse.

- the threats we're countering are exceedingly rare


   Internal threats are the most common kind, more often mistakes rather than
vicious, but causing damage just the same.

- a broken (or hacked) firewall config breaks all access to servers if
consolidated behind firewalls


  No more so than a broken or hacked server configuration. The same problem of
blocked access happens if routing is broken as well, so it really is a non
issue.


Any and all thoughts are appreciated.


Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Isolating internal servers behind firewalls Dan Lynch (Sep 08)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 10)
  - Re: Isolating internal servers behind firewalls ArkanoiD (Sep 10)
    - Re: Isolating internal servers behind firewalls Marcus J. Ranum (Sep 10)
    - Re: Isolating internal servers behind firewalls dlang (Sep 10)
    - Re: Isolating internal servers behind firewalls L Cubed (Sep 10)
- Re: Isolating internal servers behind firewalls Bill Royds (Sep 10)
- Re: Isolating internal servers behind firewalls Marcin Antkiewicz (Sep 10)
- Re: Isolating internal servers behind firewalls jason (Sep 10)
- Re: Isolating internal servers behind firewalls K K (Sep 10)
- Re: Isolating internal servers behind firewalls sai (Sep 10)
- Re: Isolating internal servers behind firewalls Timothy Shea (Sep 10)
- Re: Isolating internal servers behind firewalls D Sharp (Sep 11)
  - Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 12)
    - Re: Isolating internal servers behind firewalls D Sharp (Sep 13)
    - Issue with replacing SonicWall VPN with Cisco ASA VPN devices Behm, Jeffrey L. (Sep 25)
    - Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Brett Cunningham (Sep 26)

(Thread continues...)