I'd agree with both view points :-)
Which way you go, depends on what your priorities are.

However, [a] I reckon that trouble shooting is easier if you know
whats going on in your network. The firewall logs will usually help in
this, not hinder you.
[b] most threats are very rare, doesn't mean that you should ignore them all.


On 5/8/07, Dan Lynch wrote:
> Greetings list,
> I'm looking for opinions on internal enterprise network firewalling. Our
> environment is almost exclusively Microsoft Active Directory-based.
> There are general purpose file servers, AD domain controllers, SMS
> servers, Exchange servers, and MS-SQL-based datase app servers. In all
> about 80+ servers for over 2500 users on about 2000 client machines, all
> running Windows XP.
> How prevalent is it to segregate internal use servers away from internal
> clients behind firewalls? What benefits might we gain from the practice?
> What threats are we protected from?
> The firewall/security group argues that servers and clients should exist
> in separate security zones, and that consolidating servers behind
> firewalls allows us to
> - Control which clients connect to which servers on what ports
> - Centralized administration of that network access
> - Centralized logging of network access
> - a single point for intrusion detection and prevention measures
> These benefits protect us from risk associated with internal attackers
> and infected mobile devices or vendor workstations.
> On the other hand, the server team counters that
> - troubleshooting problems becomes more difficult
> - firewall restrictions on which workstations can perform administration
> makes general maintenance inconvenient, esp. in an emergency
> - the threats we're countering are exceedingly rare
> - a broken (or hacked) firewall config breaks all access to servers if
> consolidated behind firewalls
> Any and all thoughts are appreciated.
> Dan Lynch, CISSP
> Information Technology Analyst
> County of Placer
> Auburn, CA
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailma...rewall-wizards

firewall-wizards mailing list