Ideally, we would segment the network so that a single segment would contain all employee desktops, except for those of certain users, such as systems administrators and network engineers, who would be situated on an isolated network with a trust relationship to the production data center. Within the server farm, there would be separate networks and virtual LANs for Web, application and database servers. This arrangement would let us control the relationships between these servers and help prevent malicious activity.

For example, in a three-tiered application such as SAP, there is no reason for a Web server to have any relationship with a database server. The relationship should be between the Web server and the application server. These are the types of separations of duties that I am trying to achieve.

There will have to be compensating controls for certain situations that are likely to arise. For example, placing systems administrators on an isolated administrative network might prove to require too much effort. That could result from our use of the DHCP (Dynamic Host Configuration Protocol) or simply because of the way our network is architected. A compensating control in this case might be to place a bastion host -- a gateway between the critical network and the general corporate network -- on a separate network and have that bastion host be the only server that can access the production environment. The purpose of a bastion host is to defend against attacks aimed at our critical network. We would then force all administrators to authenticate to the bastion host before accessing any of our production servers.

I don't imagine I'll win many friends with my recommendations, but I will be able to sleep better knowing that our infrastructure is a bit more secure than it was before.

What do you think?