[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Internal Firewall
 Date:  Fri, 2 Sep 2005 09:45:29 -0400
On 9/1/05, Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch> wrote:
> Is not only a matter of trust / don't trust the users.
> We (where I work) have an ASP setup with something about 15 different
> applications involving about 200 machines (physical and virtual).
> In a classical setup with security zones (internet, DMZ, intranet) you
> end up having lots of servers in the same segment and you filter
> communications only at the segment boundary.
> The risk is that one single compromised server can tear down the whole
> segment.

In situations like this you should use private VLAN's where ever
possible.  Most of those hosts probably don't need to talk to each
other.  PVLAN's are well suited to most client PC's too in most
environments, since the PC's typically don't need to talk to each

> Regarding Andrew original question:
> In a setup with M$ machines I urge you to separate desktops from
> servers. We all know how secure M$ intrinsically is...

pfft.  Pure FUD.  If you can't secure a Windows box and keep it
secure, you shouldn't be running a Windows network.  And if the users
on "the other side" need to access anything from these boxes (Active
Directory, file and print, etc.) you're going to have to open up so
many ports, and all the most easily breachable ports, that it's not
worth the trouble to segment if performance is of any concern at all. 
If you have machines that never need to access those servers, sure,
block them off in another VLAN or something, but in any real network
segmenting the servers from the clients will provide next to no
benefit because you have to open up practically everything.  Kerberos,
LDAP, NetBIOS, DNS, etc.  That's what gets breached on typical Windows
boxes most of the time.

With VLAN's and a good L3 switch though, you shouldn't have to worry
about performance issues.

> But security is never absolute so you can ask 20 people and get 50
> different answers...

yep, depends far too much on the exact details of the environment
you're operating.