At the company where I am currently consulting, the local network tiers are isolated from one another by firewalls. All but the externally facing tier are completely isolated from the Internet; DNS is local only (of course), and Internet addresses are not reachable via any router. Only the externally facing tier (the DMZ, if you like) has direct Internet access.
End users are limited to restricted, monitored, and authenticated proxy connections via http/s on ports 80/443, and, only if their management approves and funds the individual's access on an annual basis. IP addresses may not be used in URLs; the monitoring software requires domain names.
|