Re: DMZ best practices

[Bill_Royds () pch gc ca]

The segment behind a third NIC that carries servers that one runs but may
not trust (because they are open to public) could be called the
dirty segment. or server segment. Vendors call it the DMZ because early
firewalls with only 2 nics put servers on the true DMZ.

One does need a segment that allows servers to be protected by direct
attacks but would also be restricted in access to internal use.

Partitioning if capabilities by need to know is one of the fundamental
ideas in security, whether computer or otherwise. Putting servers on a
restricted segment that does not know the inside topology is an
implementation of this policy.

What you call it is less important than what it does.




Please respond to "John Kozubik" <john_kozubik_dc () hotmail com>

To:   firewall-wizards () nfr net, perry () timpo osd mil
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  Re: DMZ best practices




Perry,

A lot of whiz-bang firewall packages offered these days (Checkpoint
software's FireWall-1 comes to mind) offer you the ability to implement
a 'DMZ'.