From: Terry Tyson [mailto:[EMAIL PROTECTED] > > Generally, that is a bad situation. So, the advice to put > different types > > of machines into different (protected) networks is good. > > I only have one firewall but it is three legged, the DMZ box and the > LAN are seperate. Is this what you mean by "different (protected) > networks"?
I take it as meaning avoiding the "crunchy on the outside, chewy in the middle" architecture that only perimeter security gives you. Depending on your network and the assets and information located on the LAN, you may find that seperating services by access level gives you benefit. For example, say you have financial users, financial servers, HR users, HR servers, standard internal servers, and regular end users / trained monkey staff. Even though they are technically all on the LAN, you can protect your financial servers from the places and people on the LAN that don't need access to them by placing/protecting them such that only your financial users that DO need access to them can reach them. Ditto for the HR systems/people. As for the standard network services servers, since everybody needs to access them, you have a less restrictive policy around them. Real segmentation of the LAN works for this kind of thing, via VLANs or whatever. DS
