Re: Reverse Proxy on DMZ

["Matt McClung" <mmcclung () ndwcorp com>]

I don't mind the interjection.

I don't know how you tend to setup your 'DMZ's, but for myself, when I
create a new network off the firewall - be it DMZ, Extranet, etc - NOTHING
is allowed that I don't specifically allow.  For instance, if I put a mail
relay host on my DMZ I ONLY allow smtp to that box and nothing else.  All
other traffic is denied.

Now, I must admit I do see the servers on the DMZ as
quasi-sacrificial boxes, but I don't just allow anyone to do anything on
those servers.

I don't believe Checkpoint is the one who term the phrase DMZ - in fact I
know several FW/Security products which use the term.  The whole phrase
DeMilitarized Zone does not neccessarily mean that you have no defenses in
that area.  The term refers to an area which is handled differently (access
wise) than your internal LAN.  You never allow access into the LAN directly.
But you do allow some traffic into the DMZ.

Matt McClung

-----Original Message-----
From: John Kozubik <john_kozubik_dc () hotmail com>
To: perry () piermont com <perry () piermont com>; joel_snider () yahoo com
<joel_snider () yahoo com>; mmcclung () ndwcorp com <mmcclung () ndwcorp com>
Cc: firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: Monday, January 18, 1999 4:48 PM
Subject: Re: Reverse Proxy on DMZ


> I am sorry to interject in the middle of the discussion here, but I must
> protest the use of the term "DMZ' in relation to separate segments that
> still remain behind the firewall.
>
> The DMZ is not firewalled.  The DMZ exists _between_ the firewall and
> the router/modem/interface.
>
> No matter what checkpoint software and assorted other goons packaging
> neat little things in shiny boxes tell you, the DMZ is not firewalled,
> or a part of the firewall, or a segment off of the firewall, etc.
>
> I don't know what you should call it - certainly some nifty souding
> throwback to the vietnam war so we can all feel cool, but it is _not_
> the DMZ.
>
> You may be asking what the point of an area between the firewall and the
> router is - it is for machines that should not be given any kind of
> filtering whatsoever.  The data collection portion of the Navy's STEP
> IDS system comes to mind, or the entire portion of NFR.  Or you can just
> put a hub in the DMZ and leave it for machines that you will throw there
> in case of emergency.
>
> If someone tells you they are putting their mail or www server in the
> DMZ, laugh at them for not firewalling these mission critical machines,
> or calmly explain to them that the area off of the third NIC in their
> firewall is _not_ the DMZ.  Unless you are from CheckPoint software, in
> which case you are calling it a DMZ because the marketing goons think it
> is a 'feature' or something.
>
>
> kozubik - John Kozubik - john_kozubik () hotmail com
> PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4
>
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com