Firewall Wizards mailing list archives
Re: Isolating internal servers behind firewalls
From: "Behm, Jeffrey L." <BehmJL () bv com>
Date: Tue, 11 Sep 2007 22:24:18 -0500
On Tue 9/11/2007 12:11 PM, D Sharp said: Summary:
Can segmenting/filtering network level provide a greater level of risk reduction?
If you don't review every port request for risk, and deny those that are risky, then you are just tracking the traffic good/bad.
Although "risky" is a relative, and not a universally defined, term, the question remains: "Is Windows file sharing risky?" 1) If one thinks Windows file sharing is risky, then that traffic to the protected servers must be denied. If it is denied, then why have Windows file servers? 2) If one thinks Windows file sharing is not risky, then I have no basis to argue the point any further. I suppose you could prevent meltdown by blocking everything that is risky, but then you have a network that doesn't function, either. I used to think that segmenting/filtering *could* provide a greater level of risk reduction. In a perfect environment, it could. However, in the real world, where $$$ talk, I don't believe that is the case(maybe I'm already becoming too crusty at age 42?). Environments are sometimes very dynamic, and maintenance of the environment gets pushed down to the low man/woman on the totem pole, because the senior folks are too busy fighting the fire du' jour, or designing the next big thing, and don't have time to mess with such mundane tasks as maintenance of rules. Those (less expensive folks) left to do the maintenance typically have less experience, and are more apt to make a human error when implementing the filtering rules. One typo that goes unchecked (because checking it costs even more $$$), and the firewall is wide open. Jeff (no personal attacks were implied - hopefully it comes across that way)
<<winmail.dat>>
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Isolating internal servers behind firewalls, (continued)
- Re: Isolating internal servers behind firewalls Marcus J. Ranum (Sep 10)
- Re: Isolating internal servers behind firewalls dlang (Sep 10)
- Re: Isolating internal servers behind firewalls L Cubed (Sep 10)
- Re: Isolating internal servers behind firewalls Bill Royds (Sep 10)
- Re: Isolating internal servers behind firewalls Marcin Antkiewicz (Sep 10)
- Re: Isolating internal servers behind firewalls jason (Sep 10)
- Re: Isolating internal servers behind firewalls K K (Sep 10)
- Re: Isolating internal servers behind firewalls sai (Sep 10)
- Re: Isolating internal servers behind firewalls Timothy Shea (Sep 10)
- Re: Isolating internal servers behind firewalls D Sharp (Sep 11)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 12)
- Re: Isolating internal servers behind firewalls D Sharp (Sep 13)
- Issue with replacing SonicWall VPN with Cisco ASA VPN devices Behm, Jeffrey L. (Sep 25)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Brett Cunningham (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Michael Cox (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Robby Cauwerts (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Michael Cox (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPNdevices Behm, Jeffrey L. (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Brett Cunningham (Sep 26)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices Joe S (Sep 26)
- Re: Isolating internal servers behind firewalls Behm, Jeffrey L. (Sep 12)
- Re: Issue with replacing SonicWall VPN with Cisco ASA VPN devices robbie . jacka (Sep 26)