Firewall Wizards mailing list archives

Re: DMZ, defined.

From: "Jon E. Hetty" <jehetty () online no>
Date: Thu, 21 Jan 1999 23:48:13 +0100

Hi there,

One might argue that since the third NIC is not technically 'behind' the
firewall (but simply on the same hardware), that it is in the DMZ.
Also, in my opinion,  there is nothing wrong with putting a machine in the
DMZ as long as you know what you are doing. Such a machine can be called a
'sacrificial lamb' for lack of a better word. You just have to accept the
risk of it being hacked and act accordingly.

 - Jon

-----Original Message-----
From: John Kozubik <john_kozubik_dc () hotmail com>
To: firewall-wizards () nfr net <firewall-wizards () nfr net>
Date: 21. januar 1999 00:09
Subject: DMZ, defined.


Not wanting to really pursue the subject anymore, as I entered simply to
point out a matter of fact  ...  I will quickly define what I think the
real definition of 'DMZ' is and why it is being misused by security
software firms, users, list subscribers, etc.

The DMZ, officially, is the are between the router (or ISDN modem, etc.)
and the firewall.

The DMZ is _not_ a product feature, as companies like CheckPoint like to
make it out to be.  Although some firewalls support having a second
security policy off of a third NIC going to a group of machines that may
be less protected then the 'core' off of the second NIC, it is not
really a DMZ, even though they call it that.  In this case, those
machines are behind the firewall, albeit on a different NIC.  Therefore,
they cannot be in the DMZ.

You may never have _any_ machines in the DMZ.  Having a machine in the
DMZ is asking for trouble in most cases.  Machines in the DMZ are not
protected in any way by the firewall, since they are between the
firewall and the outside world.

This is somewhat of a sore spot with me, as I have personally witnessed
IT managers demand that the firewall software being evaluated contain a
DMZ 'feature'.

I realize that it gets comfusing when the 'real' definition refers to
one thing (in this case the area between router and firewall) and other
definitions are different - blame this on marketing.

What should the area behind the firewall off of the third NIC with a
lighter security policy be called??  Well, in keeping with the cool
vietnam war throwback terms, I would suggest "holding pen" or maybe even
"most of you could define different policies behind the firewall based
on IP, and not on subnet, and are therefore wasting a perfectly good
NIC".  Not all, but most.

kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Current thread:

WinNT and Firewall-1, (continued)
- WinNT and Firewall-1 Alyea (Jan 21)
- RE: DMZ, defined. Andrew J. Luca (Jan 21)
- Re: DMZ, defined. Chris Kostick (Jan 21)
  - Re: DMZ, defined. dreamwvr (Jan 26)
- RE: DMZ, defined. graham, randy (Jan 21)
  - RE: DMZ, defined. Paul D. Robertson (Jan 26)
    - RE: DMZ, defined. dreamwvr (Jan 27)
    - RE: DMZ, defined. Paul D. Robertson (Jan 27)
    - Re: DMZ, defined. Joseph S D Yao (Jan 28)
    - RE: DMZ, defined. David LeBlanc (Jan 27)
- Re: DMZ, defined. Jon E. Hetty (Jan 21)
- RE: DMZ, defined. graham, randy (Jan 26)
  - RE: DMZ, defined. Paul D. Robertson (Jan 26)
- RE: DMZ, defined. Ken_Stephens (Jan 26)
  - RE: DMZ, defined. Chris Crozier (Jan 27)
- Re: DMZ, defined. Steve Bellovin (Jan 27)
- RE: DMZ, defined. Glenn Larsson (Jan 28)
  - RE: DMZ, defined. dreamwvr (Jan 29)
- RE: DMZ, defined. Stefan Jon Silverman (Jan 29)
- RE: DMZ, defined. jwalsh (Jan 29)