Why should servers be placed outside of the corporate network?
Having all your corporate servers in the same network is a bad idea because if one of the servers is compromised, the attacker can easily spread out to the others. Servers are often configured to be secure on the front end, but when it comes to servers communicating with each other, there are various ways to find vulnerabilities. Also the sensitivity of data is often not the same. While a web server is important for the availability, a database server often contains valuable customer data. Separating these is a good idea in any case.
Specialized hosting providers for specific servers are mostly able to keep their servers more secure as well.
Thanks to the internet, there is no reason not to separate servers, unless your application is so time dependent that for example database servers need to be accessed directly.
There is nothing wrong with running servers inside the corporate network - except that the corporate network should not be one wide, flat network. You should consider segregating assets and users into different "zones" and then write rules that allow the right (and expected) access between those zones. in your model, include "internet zone" and also any direct links to third parties you company may have (e.g. vpn to suppliers)
I would always use firewalls rather than simply splitting the network into VLANs. Firewalls offer better functionality to build rules (or groups of rules) so you can whitelist traffic that you expect to flow between zones.
You can place security controls on intra-zone borders, such as:
- IPS/IDS reporting to your Soc/SIEM
- Access control list functionality (supported by some firewall manufacturers) that will allow you to ensure that only authorised users may access a zone, where servers/apps reside. Of course, your DENY log will be useful for the SoC
Organising the zones will be different for every organisation, but commoin examples are:
- segregating development/testing from production
- segregating users from production servers
- segregating high risk or highly sensitive application servers from non sensitive applications servers
There are some risks. Take care not to over do the number of zones and make it too complex. Otherwise the burden of maintaining rules will become a big cost. Consider investing in a firewall product that has a good rules management or even a separate rules management application (e.g. Tuffin SecureTrack + there are others too).
Also be aware that some firewall suppliers have proprietary ways of adding ACLs to rules; these can have a heavy hit on performance of the firewall and you may need larger kit than expected.
Servers usually need to be accessed from the Internet, so your network design must allow connections from the Internet to the network where your servers are. Now if you put the servers in the internal network, that means you have to expose the internal network to the Internet by design.
And there is no reason to put the servers in the company network anyway. Even if the servers are used from the workstations in the company network, they (usually) don't need to establish connections to the workstations.