Using Firewalls to Segment Internal Resources

Using Firewalls to Segment Internal Resources Perhaps the most overlooked implementation of a firewall is on the internal network.
Nội dung trích xuất từ tài liệu:
Using Firewalls to Segment Internal ResourcesUsing Firewalls to Segment Internal ResourcesPerhaps the most overlooked implementation of a firewall is on the internal network.Many companies make the mistake of considering their entire internal network to be atrusted network. Unfortunately, the prevalence of worms and viruses today underminethis philosophy. Companies are repeatedly decimated by worms that spread uncheckedthroughout the network because there are no firewalls implemented throughout theinternal network to segment and control traffic on the internal network. In a number ofinstances, firewalls should be considered on the internal network: • To protect sensitive internal resources • To protect from WAN or remote-access (VPN, dial-in, etc.) requests • To protect individual internal resourcesProtecting Sensitive Internal ResourcesSensitive internal resources include any servers that contain critical and sensitive datasuch as human resources (HR) data, financial data, or source code. This could alsoinclude segmenting resources based on things such as department or job function. Theseservers and resources should really only be accessed by certain individuals, and inconjunction with access controls in place on the server itself, a firewall can be used toprevent unauthorized hosts from even being able to access the server in the first place.For example, if the HR server only should be accessed by the HR department, and the HRdepartment resources are on a defined range of IP addresses, a firewall can be configuredto only allow those IP addresses to access the server over the network. An even betterimplementation exists in environments where the firewall can be configured, frequentlythrough the use of VLANS, to place all the HR resources (both the servers and thecomputers of all the HR users) on the same protected subnet. This enables you toconfigure the firewall to block all traffic from external sources, while still allowing theHR users to access any resources on the rest of the internal network. Figure 9-6 depictsthis kind of segmentation. Figure 9-6. Using a Virtual Firewall to Protect Internal ResourcesProtecting from WAN or Remote-Access RequestsAnother overlooked part of the internal network is the remote locations that exist eitheracross the WAN or across a VPN or dial-in connection. Because these are still corporate-owned and-managed networks, the tendency is to treat them as trusted network segments.Unfortunately, small office locations rarely are given the level of technical resources thatthe corporate or larger office locations are. That makes those remote computers andsystems more vulnerable to attack and compromise than the systems at the well-managedcentral office.To protect against this, all traffic from remote locations should be filtered such that theremote systems only have access to the resources that they require. For example, think ofyour network as a wheel (the central office) with a bunch of spokes (the remote offices).The odds are in favor that most of the remote offices do not need to communicate witheach other. As a result, you should prevent them from being able to do so. This policy hasthe intentional side effect of also working to prevent the spread of worms throughoutyour network by ensuring that the remote offices are unable to infect each other directly.Filtering of the WAN traffic should not be restricted only to preventing the remote officesfrom communicating with each other, however. Even at the central or main offices,firewalls should be implemented to control the resources that remote offices are allowedto access. For example, if the remote offices only need access to e-mail, implement afirewall to only allow access to the e-mail servers.Protecting Individual Internal ResourcesIndividual internal resources can range from your important servers to every singledevice on your network. On the surface, it may seem an insurmountable task to protect allof your internal resources. However, through the use of a combination of network and inparticular host-based firewalls, it is a surprisingly doable task to implement a filteringstrategy throughout your internal network that can effectively protect any individualresource on the entire internal network.Be Realistic When Implementing Internal FirewallsIt is easy to become overwhelmed with implementing firewalls on the internal networkbecause we have a tendency to think that we need a full-blown firewall everywhere.Unless your company is exceedingly rich, you probably will not get 100 dedicatedfirewalls to filter traffic from 100 WAN connections. Keep in mind that when we aretalking about firewalls, we are talking about everything from simple packet-filteringrouters to full-blown application proxies. It is important to select the proper firewall forthe correct circumstances, and although a packet-filtering router is probably not a goodchoice as your only line of defense from the Internet, it can be a great choice for usewithin the internal network.Because most of your WAN circuits and subnets have to traverse a router anyway,implementing filtering on the router is an easy thing to do without needing to spend themoney necessary to implement a separate and distinct firewall. When you consider thefunctionality provided by routers that are capable of running firewall code, such as theCisco IOS Firewall, it becomes easy to implement full-featured firewall filteringthroughout the network at a minimal cost.Also keep in mind the performance implications of implementing firewalls throughoutthe internal network. Most firewalls do a fine job of performance as it relates to Internetconnections. When you start looking at implementing firewalls on internal networks,however, keep in mind that the amount of bandwidth required for internal networks istypically much, much higher (T1 ...