What are internal firewalls (Firma-interne FWs), and why segment within the Intranet?
Internal firewalls subdivide the Intranet into segments — Department X, Department Y, Production, R&D — so that breaching one segment doesn't compromise all. This is micro-segmentation and is the foundation of Zero-Trust architecture.
* An internal firewall segments the Intranet to contain lateral movement. *
The architecture:
[Internet] ─→ [DMZ FW] ─→ [Intranet]
├─ [Internal FW]
│ ├─ [Department X]
│ └─ [Department Y]
└─ ...
Why segment internally:
"Ergibt bessere Zugriffs-Kontrolle, eine Firmen-Securitypolicy kann so erzwungen werden."
| Threat | Without internal FW | With internal FW |
|---|---|---|
| Phishing victim opens malware | Spreads laterally to whole Intranet | Confined to their department |
| Compromised contractor laptop | Reaches entire LAN | Limited to guest segment |
| Ransomware outbreak | Encrypts all file servers | Stopped at segment boundary |
| Disgruntled employee snooping | Browses everything | Limited to their authorized scope |
The "User-based access control" tease:
"Setzt man Proxy ein kann auch auf User-basis Zugriffskontrolle gemacht werden"
When a proxy is part of the internal FW, you can enforce identity-based rules: "Marketing users can access HR servers for benefits info, but Engineering users cannot." This goes beyond IP-based segmentation.
Real-world implementations:
| Product / Approach | Use case |
|---|---|
| Internal hardware FWs (Fortinet, Palo Alto) | Traditional network segmentation |
| VLANs + ACLs on switches | Cheaper alternative for small environments |
| Cisco ACI / VMware NSX | Software-defined micro-segmentation |
| Host-based firewalls (Windows FW + GPO) | Enforce policy at the endpoint |
| Identity-aware proxies (BeyondCorp / Cloudflare Access) | Modern Zero-Trust approach |
The micro-segmentation movement:
Modern security thinking: don't just have a few internal segments — have one segment per workload, with explicit allow rules between them. NIST and CIS Controls both emphasize this.
In a Zero-Trust architecture, the "internal network" doesn't exist as a trust boundary — every workload-to-workload connection is independently authenticated and authorized.
Tip: For a small business, full micro-segmentation is overkill. Start with 3 segments: Office (workstations), Servers, Guest WiFi. Just blocking guest WiFi from reaching internal servers stops 80% of the lateral-movement risk.
Go deeper:
Network segmentation (Wikipedia) — covers micro-segmentation and SDN-based intra-network isolation.
Zero trust architecture (Wikipedia) — the model where the internal network is no longer a trust boundary.