Re: Reverse Proxy on DMZ

["John Kozubik" <john_kozubik_dc () hotmail com>]

I am sorry to interject in the middle of the discussion here, but I must 
protest the use of the term "DMZ' in relation to separate segments that 
still remain behind the firewall.

The DMZ is not firewalled.  The DMZ exists _between_ the firewall and 
the router/modem/interface.

No matter what checkpoint software and assorted other goons packaging 
neat little things in shiny boxes tell you, the DMZ is not firewalled, 
or a part of the firewall, or a segment off of the firewall, etc.

I don't know what you should call it - certainly some nifty souding 
throwback to the vietnam war so we can all feel cool, but it is _not_ 
the DMZ.

You may be asking what the point of an area between the firewall and the 
router is - it is for machines that should not be given any kind of 
filtering whatsoever.  The data collection portion of the Navy's STEP 
IDS system comes to mind, or the entire portion of NFR.  Or you can just 
put a hub in the DMZ and leave it for machines that you will throw there 
in case of emergency.

If someone tells you they are putting their mail or www server in the 
DMZ, laugh at them for not firewalling these mission critical machines, 
or calmly explain to them that the area off of the third NIC in their 
firewall is _not_ the DMZ.  Unless you are from CheckPoint software, in 
which case you are calling it a DMZ because the marketing goons think it 
is a 'feature' or something.


kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com