On May 7, 2007, at 2:35 PM, Dan Lynch wrote:

> Greetings list,


[description of a stereotypical microsoft shop deleted]

> How prevalent is it to segregate internal use servers away from
> internal
> clients behind firewalls? What benefits might we gain from the
> practice?
> What threats are we protected from?
> The firewall/security group argues that servers and clients should
> exist
> in separate security zones, and that consolidating servers behind
> firewalls allows us to

Ahhhh... yes ... "security zones"... I know where this is going....
Let me guess - recent college graduates with a degree in Information
Security here?

> - Control which clients connect to which servers on what ports

Bullocks! The very ports you have to open are usually the very ports
that suffer the biggest issues (microsoft rpc or MSSQL ports for
example) so putting in a firewall is not going to help. And how is
your organization going to define what ports are opened from where?
Are all your accountants in the same place? doubtful. Are all your
engineers in the same place? doubtful. Do you have a accurate map of
data flows and servers? Doubtful. Then again - maybe you have all
these things...

> - Centralized administration of that network access

I fail to see how centralizing admin of network controls is relevant
to the the argument

> - Centralized logging of network access

While I generally encourage logging - this will generate A LOT of logs.

> - a single point for intrusion detection and prevention measures

IDS/IPS are not firewalls and vice versa (although there is some
morphing going on) - completely separate discussion.

> On the other hand, the server team counters that
> - troubleshooting problems becomes more difficult
> - firewall restrictions on which workstations can perform
> administration
> makes general maintenance inconvenient, esp. in an emergency

Cry me a river.

> - the threats we're countering are exceedingly rare

You plan for the threats you aren't encountering.

> - a broken (or hacked) firewall config breaks all access to servers if
> consolidated behind firewalls

So can a broken switch, a broken router, a broken UPS, someone
knocking out a power cord. Sigh ... in general server people look
at firewalls as mysterious black boxes that they don't control nor
understand. This is an operational problem - have good procedures
and its not an issue (of course many have problems with this).

My general take is that central enterprise servers are managed better
and are patched more frequently then desktops or non-enterprise
servers (in companies that I've worked in). So the risk of something
or someone messing with those servers is lower. I encourage frequent
audits of the environment, centralized logging of changes, and
aggressive patching of servers.

There is also bandwidth concerns. The firewall you would need to put
in to say support a 10gig ethernet connection is going to be expensive.

I do encourage segmenting off vendor managed systems, labs,
development environments, and systems that are critical to the
company such as manufacturing or ATMs (all depending on the industry).

I'm coming from medium to large companies that generally have
operations in more than one country so your mileage may very from my


firewall-wizards mailing list