I've had the displeasure of trying to "protect" departments from each other so I'll throw my two cent at this one.
The real solution is to implement access controls to the data instead of trying to segment the individual LANs. It has been my experience that firewalling between departments that do business with each other soon becomes an administrative nightmare. Every Tom, Dick and Harriet manager, auditor, accountant, attorney, admin assistant, and-on-and-on, etc., etc., etc. . . has some reason why they needed "special" access through the firewall. To give you an idea of how bad this got, at one point the there were over 1,800 the IP filtering rules on 21 different routers.
For all practical purposes these rules were there so personnel in the departments didn't have to do anything to protect their resources. This got changed. First we educated the owners of the data on their responsibility to classify their data and determine who should have access to it. Then we set up groups to implement those controls. Then we gave the owners of the data the ability to add or remove people from those groups as they saw fit. Finally, we remove the majority of the filter rules from the routers.
-- Bill Stackpole, CISSP
| David Van Damme <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 11/29/00 06:59 AM
|
To: "'Hubert Felber'" <[EMAIL PROTECTED]> cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: RE: Firewall for LAN |
Why would a firewall between lans be a lot different then a `regular`
firewall ?
Any firewall where you can disable the NAT would do right ?
David
-----Original Message-----
From: Hubert Felber [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 29, 2000 3:35 PM
To: [EMAIL PROTECTED]
Subject: Firewall for LAN
Hi,
I am looking for firewall solutions to work on the LAN. We want to protect
the inhouse departments from each others. Once there was a product called
Eagle LAN from Raptor. I don't know if this still exists, but this is
exactely the kind of firewall solution I am looking for.
Does anybody know, or can anybody recommand a product?
Thank you
Hubert
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
