Should you run firewalls inside your network perimeter?
The age-old question. I've seen responses go both ways on this, but never a comprehensive answer as to why you want firewalls active within your trusted network. When I say "trusted", I (typically) mean a LAN that is already behind an active firewall.
I'd like to have comprehensive reasons as to why you would want this. The only argument I've ever heard of is that firewalls inactive within your trusted network lead to a "crunchy-chewy" security arrangement, where breaching the "crunchy-hard" exterior firewall exposes all of the "soft-chewy" internal machines.
Solution 1:
I think having firewalls within the network is a good thing for a variety of reasons.
- Protect your sensitive internal data from being modified/stolen/deleted. If every end user in your company has network access to all of your production database servers, passwords are all that protect your data. In some cases (sql accounts vs. domain accounts) it's common for the entire development staff to have the write access password on all of these db's. Most of the statistics I've seen indicate you're far more likely to be attacked from within than from an outside attacker. Disgruntled employees can be extremely motivated.
- Protect your sensitive internal data from being accidently modified/deleted. Accidently pointing a Stage web server at a Production DB server happens way more often than you'd think. If you firewall off your Prod DB servers such that only prod web servers and DBA's can reach them, you mitigate this risk significantly.
- A more robust, layered approach. The more layers of sensible security you add, the better. Some people can go a little crazy with this, but overall this is a good idea.
- As your network gets larger you need protection from yourself. Be it rogue access points, or laptops, its almost impossible to be 100% confident that everything on your network is conforming to your security policy.
Solution 2:
Yes, simply because with just an firewall at the border, you have a single point of failure. If that firewall has a bug that allows it to be bypassed, then your security is gone.
Security should be a layered approach, applying security at each layer whenever it is possible, or at least cost effective, and appropriate for the level of risk.
As with all security advice, you should take into account the actual risk involved if your system was compromised. If all you would loose is a non-critical box with no data then it may not matter all that much. If you are trying to protect state-secrets, bank accounts or health care information you need to employ a lot more layers.
Solution 3:
Never underestimate the ability of another employee to bring their virus laden laptop from home and plug it into your backbone, either.
Solution 4:
Running a firewall on a internal server lets you control what services are really used and prevents misusages.
For example, you have a solaris server intended to be used as a NFS server only. Then one day you discover that some users have discovered that they are able to connect to it using telnet/ssh/rsh/X and have started to run their seismic job on it ...