On 9/1/05, Vince Van De Coevering <vpv at figaros dot com> wrote:
> > By adding a firewall between your users and your servers you will be
> > dealing with an overly complex setup. The only rational for doing this
> > is if you do not trust the users, i.e. public access or student/lab
> > users. If that is the case restrict the public access or labs from the
> > LAN on a DMZ.
> > Enforce policies on proper use, updates and antivirus. Don't
> > allow IM or
> > AOL installs. Restrict installation rights on your workstations.
> > Consider some kind of web content filtering to restrict access to
> > questionable material/games.
> I know of a large healthcare company who attempted to firewall off their
> servers because they believed that HIPAA compliance called for that. What
> ended up happening is that they created a lot of latency in their network
> which caused critical services to timeout, created bottlenecks, created
> frequent disconnects, and ultimately resulted in lost worker productivity.
Yep, that's likely exactly what you're going to end up with, using a
typical firewall or router.
The proper way to do this would be to use VLAN's and a L3 switch. A
L3 switch is really the only feasible way to route between subnets
quickly enough that the latency and throughput degradation will be
virtually immeasurable, even up to gigabit wire speed.