RE: DMZ, defined.

["Andrew J. Luca" <andrewluca () mediaone net>]

I completely disagree - except for the part about marketing mucking up the
clarity of things.

        There are many cases that I have seen in which it is perfectly acceptable
and even desirable to have a machine stuck between the router and the
firewall.  This can be a necessity due to performance or the need to share a
machine between two organizations without ever wanting to have traffic enter
either organization.  I think that what we often forget when defining things
in such black and white terms is that not all firewalls are attached to the
Internet.  Of course, this is by far the largest number of firewalls
deployed but there are many other uses.

I worked for one organization which has developed standards for Intranet,
Internet, and Extranet firewalls (now, they don't always follow them but
that is another post).  In the case of the extranet definition, there are
clear needs for a machine to which each company can push FTP files to since
neither is willing to let the other pull the files.  It makes absolutely no
sense to put this machine behind the firewall since you might just as well
allow your partner to push the information to the destination machine(s).

If we are talking about definitions, I think that the first actual book that
I saw DMZ in was the Cheswick/Bellovin text which showed machines existing
in the DMZ.  While I agree that this is not a product feature any more than
a collision domain is a feature of an Ethernet repeater, I think that you
should rethink your definition.

Andrew

Disclaimer: My opinions are mine, all mine.  My employer does not endorse my
opinions (or even acknowledge that I might have one).  Complaints should be
forwarded  to the source or a null sink.

-----Original Message-----
From:   owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net]
On Behalf Of John Kozubik
Sent:   Tuesday, January 19, 1999 1:19 PM
To:     firewall-wizards () nfr net
Subject:        DMZ, defined.


Not wanting to really pursue the subject anymore, as I entered simply to
point out a matter of fact  ...  I will quickly define what I think the
real definition of 'DMZ' is and why it is being misused by security
software firms, users, list subscribers, etc.

The DMZ, officially, is the are between the router (or ISDN modem, etc.)
and the firewall.

The DMZ is _not_ a product feature, as companies like CheckPoint like to
make it out to be.  Although some firewalls support having a second
security policy off of a third NIC going to a group of machines that may
be less protected then the 'core' off of the second NIC, it is not
really a DMZ, even though they call it that.  In this case, those
machines are behind the firewall, albeit on a different NIC.  Therefore,
they cannot be in the DMZ.

You may never have _any_ machines in the DMZ.  Having a machine in the
DMZ is asking for trouble in most cases.  Machines in the DMZ are not
protected in any way by the firewall, since they are between the
firewall and the outside world.

This is somewhat of a sore spot with me, as I have personally witnessed
IT managers demand that the firewall software being evaluated contain a
DMZ 'feature'.

I realize that it gets comfusing when the 'real' definition refers to
one thing (in this case the area between router and firewall) and other
definitions are different - blame this on marketing.

What should the area behind the firewall off of the third NIC with a
lighter security policy be called??  Well, in keeping with the cool
vietnam war throwback terms, I would suggest "holding pen" or maybe even
"most of you could define different policies behind the firewall based
on IP, and not on subnet, and are therefore wasting a perfectly good
NIC".  Not all, but most.

kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com