Basically what you are talking about when you are firewalling your LAN is a Classification model, in which you separate your servers, and whom can talk to them based on risk, and need to know. Its not an uncommon theme in the financial services sector, and honestly I have been trying to gain steam at my workplace to start a data classification model in which resources ( servers) and users are isolated by using encryption devices to handle all there traffic and restricting access to servers to specific AD groups, basically creating a data siloh.
Cipheroptics has some nice network-based devices that do this that I want to demo whenever I get the go-ahead from the business. Again you gotta look at the business impact analysis, risk analysis, and ROI for doing such an endeavor and show the auditor whether its financially feasible and if the cost of the additional controls reduces the risk without costing more than the assets you are trying to protect are worth. Have fun on that quantitative risk analysis, it will take you a little while to run the numbers. Z Edward E. Ziots Netwok Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: Kurt Buff [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 23, 2008 1:54 PM To: NT System Admin Issues Subject: Re: Firewall between LANs On Jan 23, 2008 8:00 AM, David W. McSpadden <[EMAIL PROTECTED]> wrote: > > > > Audit recommendation: > Credit Union should investigate risk of not having Firewalls in place > between LANs. > > WTF? > > Has anyone heard of such a thing on your own private WAN??? Absolutely. It's a really good idea in many situations, and I'm working on it for our environment here. Our situation is not your situation, as we're not a financial institution, but we have something that's very dangerous on our network - software engineers. I'd think that the more controls and auditing on a financial network (within reason) the better. Deny access by default, allow access only with a proper business case and good auditing. I'm working on firewalling our dev/test teams away from our financial/HR/management/other subnets, and even each other, and vice versa. We'll probably end up using TS to give them access. Kurt ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
