Firewall Wizards mailing list archives
Re: DMZ best practices
From: "John Kozubik" <john_kozubik_dc () hotmail com>
Date: Sat, 16 Jan 1999 16:03:14 PST
Perry, A lot of whiz-bang firewall packages offered these days (Checkpoint software's FireWall-1 comes to mind) offer you the ability to implement a 'DMZ'. Now this is all fine and good from a marketing standpoint for these companies, as it sounds like they have some new featureset that we should all get excited about ... but in reality it is not that big of a deal. Set up your firewall, put machines behind it, then, between your firewall and the router, throw in a hub - now put a machine on the hub. Boom - you have a DMZ. So the first point I would like to make is that a DMZ is not a _feature_ because all it means is a machine or set of machines outside the firewall. Those machines can even be in the same subnet that the firewall and the protected machines are in. Now, it is possible to put three NICs in your firewall, and then set up a filtering policy between the outside world and machines off of NIC #1, and set up a less stringent (or complete passthrough) filtering policy between the outside world and machines off of NIC #2. This is not exactly a DMZ, but a lot of vendors call it that. This is, at best, a psuedo DMZ, because the machines are still behind the firewall. The DMZ is _not_ protected by a firewall, or else it is not a real DMZ. Now, what kind of machines would you put in the DMZ? Not many, in my opinion. Mail, news, www, etc. should _always_ be behind a firewall with a security policy in place. Now maybe your firewall (as stated above) calls an area with a less stringent security policy a DMZ - if they do, fine. Whatever you call it, don't put these critical machines _outside_ the firewall. As of this writing, the only machine I can think of that belongs outside of the firewall is a data collection machine for intrusion detection - and it forwards that data to an analysis machine _behind_ the firewall. I would also put a hub between the router and the firewall - even if you don't connect a data collection machine there. This way, if there is ever an emergency and you need to throw something outside the firewall (during an attack, for instance) you can do so without unplugging the network briefly. Also, you can put in a second or third collection machine without disrupting network traffic. So therefore, I guess it all comes down to what you are defining as a DMZ. If you use the "real" definition, then no, your mail, etc. machines do not belong there. If you are using a definition printed on some glitzy box quoted from the PR material, well maybe it does - as long as it is behind the firewall. kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- DMZ best practices Perry, David (Jan 15)
- Re: DMZ best practices Bennett Todd (Jan 19)
- <Possible follow-ups>
- Re: DMZ best practices John Kozubik (Jan 18)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Amos Hayes (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 19)
- Re: DMZ best practices Jeromie Jackson (Jan 19)
- Re: DMZ best practices Bill_Royds (Jan 19)
- RE: DMZ best practices Andreas Haug (Jan 20)
- Re: DMZ best practices John Kozubik (Jan 20)
- Re: DMZ best practices Security (Jan 20)
- Re: DMZ best practices Dominique Brezinski (Jan 21)
- RE: DMZ best practices Bill_Royds (Jan 21)
- RE: DMZ best practices Andreas Haug (Jan 26)
(Thread continues...)