|
||||||||
On 9/1/05, Vince Van De Coevering <vpv at figaros dot com> wrote: > > > > > By adding a firewall between your users and your servers you will be > > dealing with an overly complex setup. The only rational for doing this > > is if you do not trust the users, i.e. public access or student/lab > > users. If that is the case restrict the public access or labs from the > > LAN on a DMZ. > > > > Enforce policies on proper use, updates and antivirus. Don't > > allow IM or > > AOL installs. Restrict installation rights on your workstations. > > Consider some kind of web content filtering to restrict access to > > questionable material/games. > > I know of a large healthcare company who attempted to firewall off their > servers because they believed that HIPAA compliance called for that. What > ended up happening is that they created a lot of latency in their network > which caused critical services to timeout, created bottlenecks, created > frequent disconnects, and ultimately resulted in lost worker productivity. > Yep, that's likely exactly what you're going to end up with, using a typical firewall or router. The proper way to do this would be to use VLAN's and a L3 switch. A L3 switch is really the only feasible way to route between subnets quickly enough that the latency and throughput degradation will be virtually immeasurable, even up to gigabit wire speed. -Chris |