Can your internal servers reach the Internet? File servers, database servers and others that potentially store valuable information are often allowed access to the Internet, but there’s no good reason they should. The ability to do so just gives your attackers an easy way to steal your data. If an attacker gains access to a server, he can simply send the stolen data right out of your network.
By blocking Internet access for your servers, you block that escape path and force the attacker to move the data somewhere else, leaving a trail of information that will give away his presence. The attacker will need to copy data to other workstations in order to steal it. This will give you an opportunity to detect the data transfer and take appropriate action. In addition, if you log Internet attempts from your servers, those log entries will be an indicator that something is amiss in your network.
If you have servers that need to communicate with the Internet, such as mail or web servers, they belong in a DMZ.
If you need Internet access to download software updates or patches, download them to an administrator’s workstation, and install from there.