Comment Re:Firewall != Windows Firewall (Score 1) 348
The problem there is that the Windows firewall itself creates it's own attack surface. You have such a large range of internal machines that need access to so many different services on the servers for monitoring, administration, deployment, support and so on, and so many of those services are either so poorly documented or multiplex so many different functions/services over the same port that it's difficult to write specific rules for them, that in the end your firewall rules for the servers end up being unmanageably complex. They end up not protecting you nearly as much as you think they are, and they actually cause problems and contribute to failures (I could count on spending at least half a day every week diagnosing firewall-rule-related problems, and every release tended to result in several rollbacks and re-deployments over the course of a couple of days because of errors or omissions in firewall rule changes which we also had to diagnose). Plus, for all that cost, the primary threat wasn't from other compromised servers, it was from internal machines which legitimately had access to the servers (ie. the desktops belonging to DBAs, sysadmins, managers and so on) which were compromised by malware coming in via other vectors that bypassed all the firewalls.