Re: Isolating internal servers behind firewalls

["Behm, Jeffrey L." <BehmJL () bv com>]

On Tue 9/11/2007 12:11 PM,  D Sharp said:
Summary:

> Can segmenting/filtering network level provide a greater level of risk reduction?

>          If you don't review every port request for risk, and deny 
> those that are risky, then you are just tracking the traffic good/bad.

Although "risky" is a relative, and not a universally defined, term, the question remains: "Is Windows file sharing 
risky?" 

1) If one thinks Windows file sharing is risky, then that traffic to the protected servers must be denied. If it is 
denied, then why have Windows file servers?
2) If one thinks Windows file sharing is not risky, then I have no basis to argue the point any further.
 
I suppose you could prevent meltdown by blocking everything that is risky, but then you have a network that doesn't 
function, either.
 
 
I used to think that segmenting/filtering *could* provide a greater level of risk reduction. In a perfect environment, 
it could. However, in the real world, where $$$ talk, I don't believe that is the case(maybe I'm already becoming too 
crusty at age 42?). Environments are sometimes very dynamic, and maintenance of the environment gets pushed down to the 
low man/woman on the totem pole, because the senior folks are too busy fighting the fire du' jour, or designing the 
next big thing, and don't have time to mess with such mundane tasks as maintenance of rules. Those (less expensive 
folks) left to do the maintenance typically have less experience, and are more apt to make a human error when 
implementing the filtering rules. One typo that goes unchecked (because checking it costs even more $$$), and the 
firewall is wide open.
 
Jeff (no personal attacks were implied - hopefully it comes across that way)

<<winmail.dat>>

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards