If you think of your network like an onion (typical Defense in Depth analogy) then think of your internal network like a submarine. Compartmentalize and segregate - if possible.
How much help would this be in the event of another worm outbreak? The ability to quickly lock down the entire internal network is of significant benefit in cases like these (worms). I see this as a major advantage of internal firewalls. Really though this functinality can be gained through acls on routers. Business networks exist to enable business to get done. As such - business need always impacts security decisions. That said - I am convinced internal firewalls can be put into place without significantly disrupting day to day business needs. It is a very important thing to keep in mind, however - as messing up a firewall on the internal network can cause as much disruption as a worm :) Brent Deterding LURHQ Corporation Security Engineer (630) 371-4704 [EMAIL PROTECTED] > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] Behalf Of Wes > Noonan > Sent: Tuesday, December 09, 2003 11:25 AM > To: [EMAIL PROTECTED] > Subject: Re: [FW-1] use of internal firewalls > > > I'm actually writing a book on this subject (technically it is on > hardening > your network infrastructure, but this will be a component in a > chapter). The > quick answers off the hip are: > > 1) To protect internal resources such as business critical servers and > systems (i.e. HR data) from threats in the exact same manner that you > protect your network from the Internet. > 2) To filter and restrict data entering your network over > non-Internet based > links. For example, putting a firewall between your frame-relay router and > your internal network. > 3) To very granularly restrict the traffic that can pass through a given > segment. For example, if you run a bunch of file servers you can place a > firewall in front of them and only allow file sharing ports to be opened > from your users. > 4) To provide application proxy functionality against your servers. > > Here is a quick CERT recommendation: > http://www.cert.org/security-improvement/practices/p075.html > > HTH > > Wes Noonan > [EMAIL PROTECTED] > http://www.wjnconsulting.com > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 [mailto:FW-1- > > [EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Tuesday, December 09, 2003 09:44 > > To: [EMAIL PROTECTED] > > Subject: [FW-1] use of internal firewalls > > > > Hi > > > > Anyone have any good documents on why one should use a internal > firewall, > > or statistics on the number or organisations using internal firewalls. > > > > > > > > > > This E-mail transmission may contain confidential or legally privileged > > information that is intended for the addressee only. > > E-mail communications are not necessarily secure and may be > intercepted or > > altered after they are sent. Norwich Union International does not accept > > liability for any such alterations. Any views or opinions presented are > > solely those of the author and do > > not necessarily represent those of Norwich Union International. If you > > are not the intended recipient, you are hereby notified that any > > disclosure, copying, distribution or reliance upon the contents > of this E- > > mail is strictly prohibited. If you have r > > eceived this E-mail transmission in error, please notify the sender > > immediately, so that Norwich Union International may arrange for its > > proper delivery. Please then delete the message from your inbox. While > > steps have been taken to prevent computer vir > > uses, we cannot guarantee that attachments are virus free and we would > > therefore advise that you make further checks as Norwich Union > > International are not liable to third parties for any damages resulting. > > > > Norwich Union International Limited is supervised by the Regulatory > > Authorities of the Republic of Ireland. > > > > Norwich Union International Limited 6 Georges Dock > International Financial > > Services Centre Dublin 1 Republic of Ireland Registered No 303257 > > Telephone + 353 1 802 8494 Fax + 353 1 802 8400 > > www.nuinternational.com > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
