[ previous ] [ next ] [ threads ]
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Internal Firewall
 Date:  Fri, 02 Sep 2005 01:09:47 +0200
Is not only a matter of trust / don't trust the users.

We (where I work) have an ASP setup with something about 15 different 
applications involving about 200 machines (physical and virtual).

In a classical setup with security zones (internet, DMZ, intranet) you 
end up having lots of servers in the same segment and you filter 
communications only at the segment boundary.
The risk is that one single compromised server can tear down the whole 

We created applications VLAN thus isolate each application in its own 
segment. The communication between VLANs is either filtered with ACLs on 
  switches or is done with firewalls.
I have to admit that we don't use m0n0wall for this setup...

Regarding Andrew original question:
In a setup with M$ machines I urge you to separate desktops from 
servers. We all know how secure M$ intrinsically is...
To reduce latency for large volume transfers (fileserver for instance) 
you can always set up a fileserver within the user segment using a less 
"easy to crack" system (NetApp is a good idea if you don't care about 
money) like BSD or Linux with Samba.

But security is never absolute so you can ask 20 people and get 50 
different answers...


James McKeand wrote:
> Andrew Cotter wrote:
>>I appologize for that one.... no coffee and way too much time dealing
>>with spam this morning. 
>>We have a slew of internal Windoze servers that are all on the the
>>same subnet.  Nothing really is currently protecting the servers from
>>the desktops.  On an internal LAN, would anyone suggest using m0n0 as
>>a firewall between say a few win2k3 terminal servers, a couple MS SQL
>>servers, email, intranet, etc. from the rest of the LAN?    
>>I am specifically asking in m0n0 is a good fit for this task.  50+
>>users so I am not dealing with an overly complex setup at this time. 
> IIRC, m0n0wall has had limited success with transparent firewalling -
> which is what I think you are trying to accomplish.
> By adding a firewall between your users and your servers you will be
> dealing with an overly complex setup. The only rational for doing this
> is if you do not trust the users, i.e. public access or student/lab
> users. If that is the case restrict the public access or labs from the
> LAN on a DMZ.
> Enforce policies on proper use, updates and antivirus. Don't allow IM or
> AOL installs. Restrict installation rights on your workstations.
> Consider some kind of web content filtering to restrict access to
> questionable material/games.
> _________________________________
> James W. McKeand
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


	best regards

Daniele Guazzoni
Senior Network Engineer, CCNA, CCNP

Ackersteinstrasse 203
CH-8049 Zurich
"Destiny is not a matter of chance, it is a matter of choice;
it is not a thing to be waited for, it is a thing to be achieved."
					William Jennings Bryan