Firewall Wizards mailing list archives
Re: Isolating internal servers behind firewalls
From: "K K" <kkadow () gmail com>
Date: Sat, 8 Sep 2007 14:34:51 -0500
On 5/7/07, Dan Lynch <DLynch () placer ca gov> wrote:
I'm looking for opinions on internal enterprise network firewalling. Our environment is almost exclusively Microsoft Active Directory-based. There are general purpose file servers, AD domain controllers, SMS servers, Exchange servers, and MS-SQL-based datase app servers. In all about 80+ servers for over 2500 users on about 2000 client machines, all running Windows XP. How prevalent is it to segregate internal use servers away from internal clients behind firewalls? What benefits might we gain from the practice?
It's common to isolate production servers from development and from users, or even to isolate servers from other servers. Aside from the obvious, having a strict "that which is not explicitly permitted is denied" policy ensures that new services just don't appear out of the blue without some formal process and approval. Also valuable to take into account is that the policy should not only restrict what is permitted inbound towards servers, but what is permitted out from the servers towards other internal segments, and towards the Internet. I've also dealt with sites where the server admins convinced management that a strong policy was too much of a hardship, and that the firewall group should instead be required to implement a "negative" policy, of only blocking the bad staff. This was a disaster. If the company is not going to be willing to implement a strong "positive" firewall policy, then your needs might be better served by installing NIDS.
What threats are we protected from?
Nachi, Welchia, SQL-Slammer, Joe in accounts-payable, etc. In a pure Microsoft monoculture, you have to consider not only the obvious risk of an epidemic due to a fast-spreading worm, but also that uniform system administration can mean uniform exposure when an administrator's password is compromised. Kevin _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Isolating internal servers behind firewalls Dan Lynch (Sep 08)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 10)
- Re: Isolating internal servers behind firewalls ArkanoiD (Sep 10)
- Re: Isolating internal servers behind firewalls Marcus J. Ranum (Sep 10)
- Re: Isolating internal servers behind firewalls dlang (Sep 10)
- Re: Isolating internal servers behind firewalls L Cubed (Sep 10)
- Re: Isolating internal servers behind firewalls ArkanoiD (Sep 10)
- Re: Isolating internal servers behind firewalls Bill Royds (Sep 10)
- Re: Isolating internal servers behind firewalls Marcin Antkiewicz (Sep 10)
- Re: Isolating internal servers behind firewalls jason (Sep 10)
- Re: Isolating internal servers behind firewalls K K (Sep 10)
- Re: Isolating internal servers behind firewalls sai (Sep 10)
- Re: Isolating internal servers behind firewalls Timothy Shea (Sep 10)
- Re: Isolating internal servers behind firewalls D Sharp (Sep 11)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 12)
- Re: Isolating internal servers behind firewalls D Sharp (Sep 13)
- Issue with replacing SonicWall VPN with Cisco ASA VPN devices Behm, Jeffrey L. (Sep 25)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Brett Cunningham (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Michael Cox (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Robby Cauwerts (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Michael Cox (Sep 26)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 12)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 10)