Re: Reverse Proxy on DMZ

[Joseph S D Yao <jsdy () cospo osis gov>]

> I don't believe Checkpoint is the one who term the phrase DMZ - in fact I
> know several FW/Security products which use the term.  The whole phrase
> DeMilitarized Zone does not neccessarily mean that you have no defenses in
> that area.  The term refers to an area which is handled differently (access
> wise) than your internal LAN.  You never allow access into the LAN directly.
> But you do allow some traffic into the DMZ.

I was called on my use of it some months ago.  I had used it the way I
heard it - as an extra "leg" on the firewall.

I went and looked in both C&B and C&Z.  Lo and behold, the person who
called me out on it was right.  The "DMZ" in those books was actually
one of the perimeter networks between the presumed-hostile network and
the protected network.  This does not necessarily apply to one of the
protected legs of a multi-legged firewall.  In fact, if you think of a
firewall symmetrically, you should be able to protect all legs from
each other by some set of rules.  And you may have to, if each side
presumes the other to be hostile (say, on a firewall between
Engineering and Accounting).  But then the "new" meaning of "DMZ" makes
a lot less sense.

So, we have two choices.  Accept that the meaning of DMZ has evolved
into meaning a less-protected leg of a firewall.  Or be more precise
but less picturesque.

Personally, I don't have as much of an emotional investment as some
seem to.  I would just like to communicate accurately.

Eh?

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-A/B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.