Firewall Wizards mailing list archives
Re: Isolating internal servers behind firewalls
From: Timothy Shea <tim () tshea net>
Date: Sat, 8 Sep 2007 10:42:49 -0500
On May 7, 2007, at 2:35 PM, Dan Lynch wrote:
Greetings list,
Hi! [description of a stereotypical microsoft shop deleted]
How prevalent is it to segregate internal use servers away from internal clients behind firewalls? What benefits might we gain from the practice? What threats are we protected from? The firewall/security group argues that servers and clients should exist in separate security zones, and that consolidating servers behind firewalls allows us to
Ahhhh... yes ... "security zones"... I know where this is going.... Let me guess - recent college graduates with a degree in Information Security here?
- Control which clients connect to which servers on what ports
Bullocks! The very ports you have to open are usually the very ports that suffer the biggest issues (microsoft rpc or MSSQL ports for example) so putting in a firewall is not going to help. And how is your organization going to define what ports are opened from where? Are all your accountants in the same place? doubtful. Are all your engineers in the same place? doubtful. Do you have a accurate map of data flows and servers? Doubtful. Then again - maybe you have all these things...
- Centralized administration of that network access
I fail to see how centralizing admin of network controls is relevant to the the argument
- Centralized logging of network access
While I generally encourage logging - this will generate A LOT of logs.
- a single point for intrusion detection and prevention measures
IDS/IPS are not firewalls and vice versa (although there is some morphing going on) - completely separate discussion.
On the other hand, the server team counters that - troubleshooting problems becomes more difficult - firewall restrictions on which workstations can perform administration makes general maintenance inconvenient, esp. in an emergency
Cry me a river.
- the threats we're countering are exceedingly rare
You plan for the threats you aren't encountering.
- a broken (or hacked) firewall config breaks all access to servers if consolidated behind firewalls
So can a broken switch, a broken router, a broken UPS, someone knocking out a power cord. Sigh ... in general server people look at firewalls as mysterious black boxes that they don't control nor understand. This is an operational problem - have good procedures and its not an issue (of course many have problems with this). My general take is that central enterprise servers are managed better and are patched more frequently then desktops or non-enterprise servers (in companies that I've worked in). So the risk of something or someone messing with those servers is lower. I encourage frequent audits of the environment, centralized logging of changes, and aggressive patching of servers. There is also bandwidth concerns. The firewall you would need to put in to say support a 10gig ethernet connection is going to be expensive. I do encourage segmenting off vendor managed systems, labs, development environments, and systems that are critical to the company such as manufacturing or ATMs (all depending on the industry). I'm coming from medium to large companies that generally have operations in more than one country so your mileage may very from my opinions. t.s _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Isolating internal servers behind firewalls, (continued)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 10)
- Re: Isolating internal servers behind firewalls ArkanoiD (Sep 10)
- Re: Isolating internal servers behind firewalls Marcus J. Ranum (Sep 10)
- Re: Isolating internal servers behind firewalls dlang (Sep 10)
- Re: Isolating internal servers behind firewalls L Cubed (Sep 10)
- Re: Isolating internal servers behind firewalls ArkanoiD (Sep 10)
- Re: Isolating internal servers behind firewalls Bill Royds (Sep 10)
- Re: Isolating internal servers behind firewalls Marcin Antkiewicz (Sep 10)
- Re: Isolating internal servers behind firewalls jason (Sep 10)
- Re: Isolating internal servers behind firewalls K K (Sep 10)
- Re: Isolating internal servers behind firewalls sai (Sep 10)
- Re: Isolating internal servers behind firewalls Timothy Shea (Sep 10)
- Re: Isolating internal servers behind firewalls D Sharp (Sep 11)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 12)
- Re: Isolating internal servers behind firewalls D Sharp (Sep 13)
- Issue with replacing SonicWall VPN with Cisco ASA VPN devices Behm, Jeffrey L. (Sep 25)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Brett Cunningham (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Michael Cox (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Robby Cauwerts (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Michael Cox (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPNdevices Behm, Jeffrey L. (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Brett Cunningham (Sep 26)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 12)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 10)