> From: Dan Lynch
> Sent: Monday, May 07, 2007 3:35 PM

> How prevalent is it to segregate internal use servers away
> from internal
> clients behind firewalls? What benefits might we gain from
> the practice?
> What threats are we protected from?

In my experience, having servers on a separate segment controlled by
routers/switches with ACL is the most common configuration, with appliance
firewalls segregating segments also common. You enumerate many of the

> The firewall/security group argues that servers and clients
> should exist
> in separate security zones, and that consolidating servers behind
> firewalls allows us to
> - Control which clients connect to which servers on what ports
> - Centralized administration of that network access
> - Centralized logging of network access
> - a single point for intrusion detection and prevention measures
> These benefits protect us from risk associated with internal attackers
> and infected mobile devices or vendor workstations.

Counter arguments to disadvantages below.

> On the other hand, the server team counters that
> - troubleshooting problems becomes more difficult

Actually segregation will ease troubleshooting, since traffic is monitored and
should be logged. Since both domain controllers and application servers are on
the same segment, the only traffic across the internal firewall should be client
access to these servers.

> - firewall restrictions on which workstations can perform
> administration
> makes general maintenance inconvenient, esp. in an emergency

If you have proper change control management, this should not be a problem.
In fact, a good firewall helps guarantee controlled change by ensuring
documentation of all changes to server configurations. During an emergency, you
don't want uncontrolled changes which could make emergency worse.

> - the threats we're countering are exceedingly rare

Internal threats are the most common kind, more often mistakes rather than
vicious, but causing damage just the same.

> - a broken (or hacked) firewall config breaks all access to servers if
> consolidated behind firewalls

No more so than a broken or hacked server configuration. The same problem of
blocked access happens if routing is broken as well, so it really is a non

> Any and all thoughts are appreciated.
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> Auburn, CA

firewall-wizards mailing list