Firewall Wizards mailing list archives
RE: DMZ, defined.
From: "Andrew J. Luca" <andrewluca () mediaone net>
Date: Thu, 21 Jan 1999 07:28:41 -0500
I completely disagree - except for the part about marketing mucking up the clarity of things. There are many cases that I have seen in which it is perfectly acceptable and even desirable to have a machine stuck between the router and the firewall. This can be a necessity due to performance or the need to share a machine between two organizations without ever wanting to have traffic enter either organization. I think that what we often forget when defining things in such black and white terms is that not all firewalls are attached to the Internet. Of course, this is by far the largest number of firewalls deployed but there are many other uses. I worked for one organization which has developed standards for Intranet, Internet, and Extranet firewalls (now, they don't always follow them but that is another post). In the case of the extranet definition, there are clear needs for a machine to which each company can push FTP files to since neither is willing to let the other pull the files. It makes absolutely no sense to put this machine behind the firewall since you might just as well allow your partner to push the information to the destination machine(s). If we are talking about definitions, I think that the first actual book that I saw DMZ in was the Cheswick/Bellovin text which showed machines existing in the DMZ. While I agree that this is not a product feature any more than a collision domain is a feature of an Ethernet repeater, I think that you should rethink your definition. Andrew Disclaimer: My opinions are mine, all mine. My employer does not endorse my opinions (or even acknowledge that I might have one). Complaints should be forwarded to the source or a null sink. -----Original Message----- From: owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net] On Behalf Of John Kozubik Sent: Tuesday, January 19, 1999 1:19 PM To: firewall-wizards () nfr net Subject: DMZ, defined. Not wanting to really pursue the subject anymore, as I entered simply to point out a matter of fact ... I will quickly define what I think the real definition of 'DMZ' is and why it is being misused by security software firms, users, list subscribers, etc. The DMZ, officially, is the are between the router (or ISDN modem, etc.) and the firewall. The DMZ is _not_ a product feature, as companies like CheckPoint like to make it out to be. Although some firewalls support having a second security policy off of a third NIC going to a group of machines that may be less protected then the 'core' off of the second NIC, it is not really a DMZ, even though they call it that. In this case, those machines are behind the firewall, albeit on a different NIC. Therefore, they cannot be in the DMZ. You may never have _any_ machines in the DMZ. Having a machine in the DMZ is asking for trouble in most cases. Machines in the DMZ are not protected in any way by the firewall, since they are between the firewall and the outside world. This is somewhat of a sore spot with me, as I have personally witnessed IT managers demand that the firewall software being evaluated contain a DMZ 'feature'. I realize that it gets comfusing when the 'real' definition refers to one thing (in this case the area between router and firewall) and other definitions are different - blame this on marketing. What should the area behind the firewall off of the third NIC with a lighter security policy be called?? Well, in keeping with the cool vietnam war throwback terms, I would suggest "holding pen" or maybe even "most of you could define different policies behind the firewall based on IP, and not on subnet, and are therefore wasting a perfectly good NIC". Not all, but most. kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- DMZ, defined. John Kozubik (Jan 20)
- WinNT and Firewall-1 Alyea (Jan 21)
- RE: DMZ, defined. Andrew J. Luca (Jan 21)
- <Possible follow-ups>
- Re: DMZ, defined. Chris Kostick (Jan 21)
- Re: DMZ, defined. dreamwvr (Jan 26)
- RE: DMZ, defined. graham, randy (Jan 21)
- RE: DMZ, defined. Paul D. Robertson (Jan 26)
- RE: DMZ, defined. dreamwvr (Jan 27)
- RE: DMZ, defined. Paul D. Robertson (Jan 27)
- Re: DMZ, defined. Joseph S D Yao (Jan 28)
- RE: DMZ, defined. David LeBlanc (Jan 27)
- RE: DMZ, defined. Paul D. Robertson (Jan 26)
- Re: DMZ, defined. Jon E. Hetty (Jan 21)
- RE: DMZ, defined. graham, randy (Jan 26)