begin quoting Neil Schneider as of Fri, Sep 16, 2005 at 09:59:38AM -0700: > > gossamer axe said: > > I had read an article a while back which claimed that inside of a > > network (that's already firewalled) each machine should also be > > firewalled. > > In a corporate network, where there may be "rogue" users, it's > probably good practice. I don't do it here, but in a customer's > network I might suggest it. It also provides some additional > protection from worms and viruses that might attempt to exploit > running services on individual systems.
You don't have a stack of soekris boxen "managing" your network? :) The users don't even have to go rogue, they can just be careless or accidently get infected. Internal firewalls mean that compromising one machine behind the main firewall doesn't automatically endanger *everything* behind the firewall. I've read that it's a good practice to put laptops into a DMZ, since laptops are frequently out of the control of the IT department and aren't vetted before being put on the network -- it's frequently the case that they're the vector for introducing malware into an otherwise welll-protected network. In some sense, laptops are an expensive implementation of a sneaker-net. -Stewart "Or, in my case, boot-net." Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
