Firewall Wizards mailing list archives
Re: DMZ, defined.
From: "Jon E. Hetty" <jehetty () online no>
Date: Thu, 21 Jan 1999 23:48:13 +0100
Hi there, One might argue that since the third NIC is not technically 'behind' the firewall (but simply on the same hardware), that it is in the DMZ. Also, in my opinion, there is nothing wrong with putting a machine in the DMZ as long as you know what you are doing. Such a machine can be called a 'sacrificial lamb' for lack of a better word. You just have to accept the risk of it being hacked and act accordingly. - Jon -----Original Message----- From: John Kozubik <john_kozubik_dc () hotmail com> To: firewall-wizards () nfr net <firewall-wizards () nfr net> Date: 21. januar 1999 00:09 Subject: DMZ, defined.
Not wanting to really pursue the subject anymore, as I entered simply to point out a matter of fact ... I will quickly define what I think the real definition of 'DMZ' is and why it is being misused by security software firms, users, list subscribers, etc. The DMZ, officially, is the are between the router (or ISDN modem, etc.) and the firewall. The DMZ is _not_ a product feature, as companies like CheckPoint like to make it out to be. Although some firewalls support having a second security policy off of a third NIC going to a group of machines that may be less protected then the 'core' off of the second NIC, it is not really a DMZ, even though they call it that. In this case, those machines are behind the firewall, albeit on a different NIC. Therefore, they cannot be in the DMZ. You may never have _any_ machines in the DMZ. Having a machine in the DMZ is asking for trouble in most cases. Machines in the DMZ are not protected in any way by the firewall, since they are between the firewall and the outside world. This is somewhat of a sore spot with me, as I have personally witnessed IT managers demand that the firewall software being evaluated contain a DMZ 'feature'. I realize that it gets comfusing when the 'real' definition refers to one thing (in this case the area between router and firewall) and other definitions are different - blame this on marketing. What should the area behind the firewall off of the third NIC with a lighter security policy be called?? Well, in keeping with the cool vietnam war throwback terms, I would suggest "holding pen" or maybe even "most of you could define different policies behind the firewall based on IP, and not on subnet, and are therefore wasting a perfectly good NIC". Not all, but most. kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- WinNT and Firewall-1, (continued)
- WinNT and Firewall-1 Alyea (Jan 21)
- RE: DMZ, defined. Andrew J. Luca (Jan 21)
- Re: DMZ, defined. Chris Kostick (Jan 21)
- Re: DMZ, defined. dreamwvr (Jan 26)
- RE: DMZ, defined. graham, randy (Jan 21)
- RE: DMZ, defined. Paul D. Robertson (Jan 26)
- RE: DMZ, defined. dreamwvr (Jan 27)
- RE: DMZ, defined. Paul D. Robertson (Jan 27)
- Re: DMZ, defined. Joseph S D Yao (Jan 28)
- RE: DMZ, defined. David LeBlanc (Jan 27)
- RE: DMZ, defined. Paul D. Robertson (Jan 26)
- Re: DMZ, defined. Jon E. Hetty (Jan 21)
- RE: DMZ, defined. graham, randy (Jan 26)
- RE: DMZ, defined. Paul D. Robertson (Jan 26)
- RE: DMZ, defined. Ken_Stephens (Jan 26)
- RE: DMZ, defined. Chris Crozier (Jan 27)
- Re: DMZ, defined. Steve Bellovin (Jan 27)
- RE: DMZ, defined. Glenn Larsson (Jan 28)
- RE: DMZ, defined. dreamwvr (Jan 29)
- RE: DMZ, defined. Stefan Jon Silverman (Jan 29)
- RE: DMZ, defined. jwalsh (Jan 29)