Re: Isolating internal servers behind firewalls

[Timothy Shea <tim () tshea net>]

On May 7, 2007, at 2:35 PM, Dan Lynch wrote:

> Greetings list,

Hi!

[description of a stereotypical microsoft shop deleted]

> How prevalent is it to segregate internal use servers away from  
> internal
> clients behind firewalls? What benefits might we gain from the  
> practice?
> What threats are we protected from?
>
> The firewall/security group argues that servers and clients should  
> exist
> in separate security zones, and that consolidating servers behind
> firewalls allows us to

Ahhhh... yes ... "security zones"... I know where this is going....   
Let me guess - recent college graduates with a degree in Information  
Security here?

> - Control which clients connect to which servers on what ports

Bullocks!  The very ports you have to open are usually the very ports  
that suffer the biggest issues (microsoft rpc or MSSQL ports for  
example) so putting in a firewall is not going to help.  And how is  
your organization going to define what ports are opened from where?   
Are all your accountants in the same place? doubtful.  Are all your  
engineers in the same place? doubtful.  Do you have a accurate map of  
data flows and servers?  Doubtful.  Then again - maybe you have all  
these things...

> - Centralized administration of that network access

I fail to see how centralizing admin of network controls is relevant  
to the the argument

> - Centralized logging of network access

While I generally encourage logging - this will generate  A LOT of logs.

> - a single point for intrusion detection and prevention measures

IDS/IPS are not firewalls and vice versa (although there is some  
morphing going on) - completely separate discussion.

> On the other hand, the server team counters that
>
> - troubleshooting problems becomes more difficult
> - firewall restrictions on which workstations can perform  
> administration
> makes general maintenance inconvenient, esp. in an emergency

Cry me a river.

> - the threats we're countering are exceedingly rare

You plan for the threats you aren't encountering.

> - a broken (or hacked) firewall config breaks all access to servers if
> consolidated behind firewalls

So can a broken switch, a broken router, a broken UPS, someone  
knocking out a power cord.    Sigh ... in general server people look  
at firewalls as mysterious black boxes that they don't control nor  
understand.   This is an operational problem - have good procedures  
and its not an issue (of course many have problems with this).


My general take is that central enterprise servers are managed better  
and are patched more frequently then desktops or non-enterprise  
servers (in companies that I've worked in).  So the risk of something  
or someone messing with those servers is lower.  I encourage frequent  
audits of the environment, centralized logging of changes, and  
aggressive patching of servers.

There is also bandwidth concerns.  The firewall you would need to put  
in to say support a 10gig ethernet connection is going to be expensive.

I do encourage segmenting off vendor managed systems, labs,  
development environments, and systems that are critical to the  
company such as manufacturing or ATMs (all depending on the industry).

I'm coming from medium to large companies that generally have  
operations in more than one country so your mileage may very from my  
opinions.

t.s



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards