LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are internal firewalls (Firma-interne FWs), and why segment within the Intranet?

Internal firewalls subdivide the Intranet into segments — Department X, Department Y, Production, R&D — so that breaching one segment doesn't compromise all. This is micro-segmentation and is the foundation of Zero-Trust architecture.

Perimeter FW → internal segmentation FW fanning out to Dept X, Dept Y, Guest/IoT.

* An internal firewall segments the Intranet to contain lateral movement. *

The architecture:

[Internet] ─→ [DMZ FW] ─→ [Intranet]
                              ├─ [Internal FW]
                              │     ├─ [Department X]
                              │     └─ [Department Y]
                              └─ ...

Why segment internally:

"Ergibt bessere Zugriffs-Kontrolle, eine Firmen-Securitypolicy kann so erzwungen werden."

Threat Without internal FW With internal FW
Phishing victim opens malware Spreads laterally to whole Intranet Confined to their department
Compromised contractor laptop Reaches entire LAN Limited to guest segment
Ransomware outbreak Encrypts all file servers Stopped at segment boundary
Disgruntled employee snooping Browses everything Limited to their authorized scope

The "User-based access control" tease:

"Setzt man Proxy ein kann auch auf User-basis Zugriffskontrolle gemacht werden"

When a proxy is part of the internal FW, you can enforce identity-based rules: "Marketing users can access HR servers for benefits info, but Engineering users cannot." This goes beyond IP-based segmentation.

Real-world implementations:

Product / Approach Use case
Internal hardware FWs (Fortinet, Palo Alto) Traditional network segmentation
VLANs + ACLs on switches Cheaper alternative for small environments
Cisco ACI / VMware NSX Software-defined micro-segmentation
Host-based firewalls (Windows FW + GPO) Enforce policy at the endpoint
Identity-aware proxies (BeyondCorp / Cloudflare Access) Modern Zero-Trust approach

The micro-segmentation movement:

Modern security thinking: don't just have a few internal segments — have one segment per workload, with explicit allow rules between them. NIST and CIS Controls both emphasize this.

In a Zero-Trust architecture, the "internal network" doesn't exist as a trust boundary — every workload-to-workload connection is independently authenticated and authorized.

Tip: For a small business, full micro-segmentation is overkill. Start with 3 segments: Office (workstations), Servers, Guest WiFi. Just blocking guest WiFi from reaching internal servers stops 80% of the lateral-movement risk.

Go deeper:

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026