Security Basics mailing list archives
Isolating internal servers behind firewalls
From: "Dan Lynch" <DLynch () placer ca gov>
Date: Mon, 7 May 2007 12:32:22 -0700
Greetings list, I'm looking for opinions on internal enterprise network firewalling. Our environment is almost exclusively Microsoft Active Directory-based. There are general purpose file servers, AD domain controllers, SMS servers, Exchange servers, and MS-SQL-based datase app servers. In all about 80+ servers for over 2500 users on about 2000 client machines, all running Windows XP. How prevalent is it to segregate internal use servers away from internal clients behind firewalls? What benefits might we gain from the practice? What threats are we protected from? The firewall/security group argues that servers and clients should exist in separate security zones, and that consolidating servers behind firewalls allows us to - Control which clients connect to which servers on what ports - Centralized administration of that network access - Centralized logging of network access - a single point for intrusion detection and prevention measures These benefits protect us from risk associated with internal attackers and infected mobile devices or vendor workstations. On the other hand, the server team counters that - troubleshooting problems becomes more difficult - firewall restrictions on which workstations can perform administration makes general maintenance inconvenient, esp. in an emergency - the threats we're countering are exceedingly rare - a broken (or hacked) firewall config breaks all access to servers if consolidated behind firewalls Any and all thoughts are appreciated. Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA
Current thread:
- Isolating internal servers behind firewalls Dan Lynch (May 07)
- Re: Isolating internal servers behind firewalls Ansgar -59cobalt- Wiechers (May 08)
- Re: Isolating internal servers behind firewalls Facekhan (May 08)
- <Possible follow-ups>
- Re: Isolating internal servers behind firewalls jmbreci (May 08)
- Re: Isolating internal servers behind firewalls jmbreci (May 09)