Security Basics mailing list archives
Re: Isolating internal servers behind firewalls
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 8 May 2007 17:54:07 +0200
On 2007-05-07 Dan Lynch wrote:
I'm looking for opinions on internal enterprise network firewalling. Our environment is almost exclusively Microsoft Active Directory-based. There are general purpose file servers, AD domain controllers, SMS servers, Exchange servers, and MS-SQL-based datase app servers. In all about 80+ servers for over 2500 users on about 2000 client machines, all running Windows XP. How prevalent is it to segregate internal use servers away from internal clients behind firewalls? What benefits might we gain from the practice? What threats are we protected from?
What you gain in every case is increased complexity of your network infrastructure. What you gain in addition to that depends on your requirements and network topology. I'll list a couple things you might gain if the preconditions apply to your situation: - Network segmentation helps with privilege separation. Only the users who need to access a specific server are able/allowed to access that server. - Exposing only the ports needed on your LAN prevents misconfigured services from being exploited. (Personally I consider this a weak argument, though, because someone who fails at configuring services will also fail at configuring firewalls.) - Servers that are needed only by other servers, but not by client PCs, can be shielded from access from the LAN.
The firewall/security group argues that servers and clients should exist in separate security zones, and that consolidating servers behind firewalls allows us to - Control which clients connect to which servers on what ports
Yes.
- Centralized administration of that network access
If set up properly: yes.
- Centralized logging of network access
Yes. Keep in mind, though, that you'll need someone to read (and understand) those logs, otherwise the logging would be rather pointless.
- a single point for intrusion detection and prevention measures
That you can have just as well by plugging IDS appliance(s) into the monitor port(s) of the switch(es) your servers are connected to. Also keep in mind that a router as a single point for intrusion detection also means a single point of failure for your network. You may want some redundancy here.
These benefits protect us from risk associated with internal attackers and infected mobile devices or vendor workstations.
Tho risks of infected mobile devices and vendor workstations are better mitigated by putting these devices/boxes into a separate network segment. As long as those devices need access to your servers, the level of protection you can apply to your servers is limited. But you *can* protect the other clients on your LAN.
On the other hand, the server team counters that - troubleshooting problems becomes more difficult
Depends. With proper configuration it doesn't become that much more difficult. And the firewall logs may actually help with trouble- shooting.
- firewall restrictions on which workstations can perform administration makes general maintenance inconvenient, esp. in an emergency
Depends on your network topology. Tunneling of connections (e.g. through SSH) may also be a solution to this issue.
- the threats we're countering are exceedingly rare
Without knowing the threats and your current situation, this information is pointless. You need to identify the threats, break them down into manageable scenarios, and find countermeasures for each scenario. Also you need to take into consideration not only how frequent an attack may be, but also what a successful attack will cost you, and what its worth to the attacker is.
- a broken (or hacked) firewall config breaks all access to servers if consolidated behind firewalls
True, but your worst case then would be the situation you currently have, no? That's no reason not to apply a countermeasures if the countermeasure would mitigate an attack scenario (and not raise significant additional risks). Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Isolating internal servers behind firewalls Dan Lynch (May 07)
- Re: Isolating internal servers behind firewalls Ansgar -59cobalt- Wiechers (May 08)
- Re: Isolating internal servers behind firewalls Facekhan (May 08)
- <Possible follow-ups>
- Re: Isolating internal servers behind firewalls jmbreci (May 08)
- Re: Isolating internal servers behind firewalls jmbreci (May 09)