[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Re: Internal Firewall
 Date:  Thu, 1 Sep 2005 17:16:03 -0400
On 9/1/05, Vince Van De Coevering <vpv at figaros dot com> wrote:
> > By adding a firewall between your users and your servers you will be
> > dealing with an overly complex setup. The only rational for doing this
> > is if you do not trust the users, i.e. public access or student/lab
> > users. If that is the case restrict the public access or labs from the
> > LAN on a DMZ.
> >
> > Enforce policies on proper use, updates and antivirus. Don't
> > allow IM or
> > AOL installs. Restrict installation rights on your workstations.
> > Consider some kind of web content filtering to restrict access to
> > questionable material/games.
> I know of a large healthcare company who attempted to firewall off their
> servers because they believed that HIPAA compliance called for that.  What
> ended up happening is that they created a lot of latency in their network
> which caused critical services to timeout, created bottlenecks, created
> frequent disconnects, and ultimately resulted in lost worker productivity.

Yep, that's likely exactly what you're going to end up with, using a
typical firewall or router.

The proper way to do this would be to use VLAN's and a L3 switch.  A
L3 switch is really the only feasible way to route between subnets
quickly enough that the latency and throughput degradation will be
virtually immeasurable, even up to gigabit wire speed.