>At what point does the number of users inside of a perimeter become so
>large that inside of the firewall becomes virtually indistinguishable
>from outside of the firewall? 1,000 users? 10,000 users? 100,000
>users? Is this point real or just imaginary?
My take is it's less a matter of number of users than
it is number of network interconnects. Offhand, the problem is
one of those: "if you have to ask, you already know the answer"
kind of deals.
Intranetwork firewalls are becoming a hot topic, and
I worry that they won't be deployed sensibly, since most networks
are presently designed to be a single security domain with
no internal separation.
If I were to tackle the problem, I'd say you need to
divide your users and their desktops up into the different
roles they play, sort the roles into security domains, then
develop access policies for controlling communication between
each domain. Those policies would be implemented with a
combination of routers, firewalls, virtual LANs and hubs,
or whatever. I actually have a short tutorial on how to
do this kind of analysis that I have been working on for
some time, but it's not quite good enough yet -- and every
time I present the concept people's response is invariably,
"reorganizing my network would take too much work!!"