We recently had a situation in which one of our servers was accessed by someone from another building/floor who had no need to get into the system. Part of the problem was that someone left their username/password out in plain sight; that problem has been fixed. . . .
"We recently had a situation in which one of our servers was accessed by someone from another building/floor who had no need to get into the system. Part of the problem was that someone left their username/password out in plain sight; that problem has been fixed. Management is concerned that our more sensitive servers may not be as protected as they should be. We already have one firewall protecting our Internet connection. Should we look at an additional firewall to protect the servers that management is concerned about?"

A little more protection is always a good thing. There are two ways you can approach this. Depending on what type of a core switch/router you are using, you can restrict access to certain systems by using Access Control Lists (ACL) in the switch/router. While this is doable, you also should think about limiting the port numbers that the designated systems can be reached with. This, too, can be done with ACLs. Something to think about is keeping this information backed up in a safe place, as if you have to replace the system, you'll need to replace that information to keep the same level of protection. Another option is an interior firewall. Using more than one firewall is becoming commonplace on networks today as controlling access to designated systems is becoming more important. While Linux-/Unix-based systems come equipped with their own firewall functionality built in, why maintain a firewall setup on each system when you can centralize the management? One argument I frequently hear is whether to use the same brand of firewall for your second interior router or a different brand. There is some validity to this question. Look at it from this perspective: Would you rather have to learn two different interfaces to manage two firewalls or use just interface to manage two firewalls? One reason for using different brands of firewalls is that if one gets compromised, the hacker/intruder has to pretty much start all over again to try and get past the second. Look at the vulnerabilities reported by the vendor and the security community on the firewall you're currently using. Compare this against the other firewalls you consider. See which has had the most problems and how quickly they were resolved.

The link for this article located at Ron Nutter is no longer available.