Although I have no problem with internal firewalls, I would like to also point out that a lot of these outbreaks could have been more contained has folks disabled unneeded service on internal servers just like they should with servers on the internet. If you do not need to have SMTP and IIS running on your NT server, then disable the service. Don't need messenger service, disable it. Don't need Apache, sendmail, and IMAPD on your Solaris phone switch? Disable them.
That said, most folks don't do this. If you were to place a firewall or ACL's between the clients and the servers limiting what the clients could access on the servers, then your Firewall guy can block ports to your phone switch that is running old versions of BIND, sendmail, and the like. Even if he doesn't have a login to the server, he can protect it. I agree that this is a good design, but it does offer an additional single point of failure. In a spanning tree network with multiple links for redundancy you would have multiple firewalls on the LAN to limit exposure to single points of failure. I also like the idea of having a managed firewall on the client. ZoneAlarm and Checkpoint both offer this. If I can control what the user can access on the internal network from his PC then I can really limit my exposure. I could have a generic policy that allows the basic file sharing that occurs, SMTP only to my SMTP server., HTTP to anywhere but those places my Surfcontrol server says to block, POP3 to my POP3.....Of course this doesn't protect a rouge laptop so I think it would be beneficial to also have rules at the switch port layer enforcing the same policy installed at the client. If a new client gets plugged in, it gets my bare minimal policy which may say 0 access. In addition, this system could check patch levels on a PC. If it is missing critical patches or antivirus pattern updates, then it is forced to get updated before it has any real access to my network. There are OPSEC and non opsec vendors that offer this software. Of course this is getting extreme and would be hard to manage today. We need a good management package that we would define these rules to and then these rules would be pushed to the clients/switches/routers/FW. http://www.primeinc.com ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please reply to the sender of the message. The views expressed in this correspondence may not reflect the views of Prime, Inc. This footnote also confirms that this email message has been scanned for the presence of computer viruses. ********************************************************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
