A reader writes: "All the news about the worm currently making the rounds got me thinking about adding a secondfirewall internally to protect really critical servers. I'm not sure the benefit would offset the cost. Is this something I should implement?"
Answer: If you have a server that really can't be down and you want to take reasonable precautions against it being a target of attack, you need to look at all options. Depending on the level of comfort you have with the differentOSes (Windows, NetWare, Linux, etc), you may be able to approach the problem from several different directions.
Whether you do packet filtering using features available in the OS itself (iptables in Linux for example) or go with a commercially available firewall, the best solution will depend on the level of protection you need. One criteria I recommend in judging a firewall is some type of intrusion-detection functionality or the ability to send alerts of that type to a syslog server on your network. Having a firewall may not help protect the server if an attack is launched and nothing realizes it.
If you already have Vendor A's firewall on the exterior firewall of your company's network, having a smaller one to protect your critical servers would leverage your existing knowledge making it easier to administer. On the other hand, once the external firewall has been compromised, getting past another firewall from the same vendor probably wouldn't keep the unwelcome visitor out for long. Using a different firewall from Vendor B or C would require learning another firewall, but would make it a little more difficult for someone to get to your important servers.