Firewall Wizards mailing list archives
Re: Isolating internal servers behind firewalls
From: "Bill Royds" <firewall () royds net>
Date: Sat, 8 Sep 2007 14:00:09 -0400
From: Dan Lynch Sent: Monday, May 07, 2007 3:35 PM
How prevalent is it to segregate internal use servers away from internal clients behind firewalls? What benefits might we gain from the practice? What threats are we protected from?
In my experience, having servers on a separate segment controlled by routers/switches with ACL is the most common configuration, with appliance firewalls segregating segments also common. You enumerate many of the advantages.
The firewall/security group argues that servers and clients should exist in separate security zones, and that consolidating servers behind firewalls allows us to - Control which clients connect to which servers on what ports - Centralized administration of that network access - Centralized logging of network access - a single point for intrusion detection and prevention measures These benefits protect us from risk associated with internal attackers and infected mobile devices or vendor workstations.
Counter arguments to disadvantages below.
On the other hand, the server team counters that - troubleshooting problems becomes more difficult
Actually segregation will ease troubleshooting, since traffic is monitored and should be logged. Since both domain controllers and application servers are on the same segment, the only traffic across the internal firewall should be client access to these servers.
- firewall restrictions on which workstations can perform administration makes general maintenance inconvenient, esp. in an emergency
If you have proper change control management, this should not be a problem. In fact, a good firewall helps guarantee controlled change by ensuring documentation of all changes to server configurations. During an emergency, you don't want uncontrolled changes which could make emergency worse.
- the threats we're countering are exceedingly rare
Internal threats are the most common kind, more often mistakes rather than vicious, but causing damage just the same.
- a broken (or hacked) firewall config breaks all access to servers if consolidated behind firewalls
No more so than a broken or hacked server configuration. The same problem of blocked access happens if routing is broken as well, so it really is a non issue.
Any and all thoughts are appreciated. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Isolating internal servers behind firewalls Dan Lynch (Sep 08)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 10)
- Re: Isolating internal servers behind firewalls ArkanoiD (Sep 10)
- Re: Isolating internal servers behind firewalls Marcus J. Ranum (Sep 10)
- Re: Isolating internal servers behind firewalls dlang (Sep 10)
- Re: Isolating internal servers behind firewalls L Cubed (Sep 10)
- Re: Isolating internal servers behind firewalls ArkanoiD (Sep 10)
- Re: Isolating internal servers behind firewalls Bill Royds (Sep 10)
- Re: Isolating internal servers behind firewalls Marcin Antkiewicz (Sep 10)
- Re: Isolating internal servers behind firewalls jason (Sep 10)
- Re: Isolating internal servers behind firewalls K K (Sep 10)
- Re: Isolating internal servers behind firewalls sai (Sep 10)
- Re: Isolating internal servers behind firewalls Timothy Shea (Sep 10)
- Re: Isolating internal servers behind firewalls D Sharp (Sep 11)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 12)
- Re: Isolating internal servers behind firewalls D Sharp (Sep 13)
- Issue with replacing SonicWall VPN with Cisco ASA VPN devices Behm, Jeffrey L. (Sep 25)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Brett Cunningham (Sep 26)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 12)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 10)