> By adding a firewall between your users and your servers you will be
> dealing with an overly complex setup. The only rational for doing this
> is if you do not trust the users, i.e. public access or student/lab
> users. If that is the case restrict the public access or labs from the
> LAN on a DMZ.
> Enforce policies on proper use, updates and antivirus. Don't
> allow IM or
> AOL installs. Restrict installation rights on your workstations.
> Consider some kind of web content filtering to restrict access to
> questionable material/games.
I know of a large healthcare company who attempted to firewall off their
servers because they believed that HIPAA compliance called for that. What
ended up happening is that they created a lot of latency in their network
which caused critical services to timeout, created bottlenecks, created
frequent disconnects, and ultimately resulted in lost worker productivity.
You have to weigh the potential problems caused by that level of security
versus the harms you are trying to prevent. Make sure you lock down your
servers so they are only running the services they need to perform their
Vince Van De Coevering
Figaro's Italian Pizza, Inc.
vpv at figaros dot com