Firewall Wizards mailing list archives

RE: DMZ, defined.

From: "graham, randy" <randy_graham () hq dla mil>
Date: Fri, 22 Jan 1999 07:22:39 -0500

Very good response (and civil, thank you).  I don't have sufficient
experience in the field to try redefining terms.  In fact, when I want to
use a term, I look it up in my O'Reilly book to make sure it is correct.
The DMZ "definition" I used is actually not my own, but the way the firewall
admin at my last company used the term.  I don't really think of the network
off a third NIC as the DMZ, but I don't know the traditional use well enough
to tell that guy he was using the term incorrectly.  One of the things I was
really trying to say is that to communicate with someone with less
experience than a lot of people on this list (say, for example, myself), you
_MUST_ make some allowances for their vocabulary.  If they are using a term
wrong and you want to correct them, fine.  But at least try to give some
room for their definition.

If you do take your car to your mechanic and tell him you think the spark
plug wire is bad, and then explain or point out the him what you really
mean, he will correct you.  He won't afterwards go off and change the spark
plug wires to see if that fixes your problem.  He knows now what you were
referring too, he has corrected your use of the term, and he has moved on to
the real problem.  He doesn't work on the wrong thing just because you used
the wrong term, __provided__ you communicated in less/non-technical terms
and he understood what you really meant.  You've learned something, he's
fixed your problem, and everyone is happy now.  I won't argue with your
points on traditional meanings, because you are correct.  But for someone
without the strong knowledge of traditional usage that many here have
(again, myself as an example), telling them "that's not what that word
means" and having an attitude about it (not what you've done, but I've seen
it on this list) is far worse in my eyes than using a word incorrectly but
at least trying to establish what you really mean.  I really felt the
original poster was close to saying "You're using the term wrong, and I
won't work with you because you're a dummy" to the first person who made
incorrect use of the term.  I doubt that is how he intended to come across,
but he might want to lighten up a little to avoid that impression.

Oh, and I don't think anyone would call any part of the network Grape
Kool-aid, but I could be wrong   :-)

Randy Graham

-----Original Message-----
From: Paul D. Robertson [SMTP:proberts () clark net]
Sent: Thursday, January 21, 1999 9:33 PM
To:   graham, randy
Cc:   firewall-wizards () nfr net
Subject:      RE: DMZ, defined.

On Thu, 21 Jan 1999, graham, randy wrote:

So now we have a language expert.  This talk about what a DMZ "really"

is

seems to miss one extremely important feature of language - change.

Just

An equally important feature of language is to use traditional meanings 
to communicate effectively.

check out the OED (Oxford English Dictionary) sometime.  The meaning of

word changes over time.  John, you no more have the right to give an
absolute definition than anyone else here.  I think beyond saying that

the

Yet not pointing out a generally accepted meaning to a term that has 
traditionally been used in a field can cause confusion.

DMZ is a less heavily protected region somewhere in our network arena

(and

even some people might disagree with this broad use), we really aren't

going

to have a general agreement on where exactly the DMZ goes.


In traditionally firewalling terms, a DMZ is a network inside of our 
network boundary but outside of our bastion host.  Wanting it to be 
anything else doesn't automatically make it so.

So an area behind a/the firewall off a third NIC cannot be called a DMZ.


It can be called "Grape Kool-aid", but that doesn't make it such or 
follow established tradition.

Why not?  Because you don't want to call it that?  I put some equipment


No, because such networks have traditionally been labled as "service 
networks", in keeping with the fact that they are offered some form of 
protection by the bastion host, and therefore topologically different 
than the tradtional DMZ.

there work, but try to offer some protection.  Why can't I call this a

DMZ

if that's what I think of as the DMZ?  It is fairly open, but I restrict


You can, but when you speak with others in the firewall community they'll 
think you mean something else.  There's nothing stopping you from calling 
it a "protected internal network" either.  Just don't expect others who 
are using the terminology built up in the field over a long period of 
time to (a) understand you, or (b) follow your terminology whims.

what I can.  I track as well as I can what goes in and out there.  It
doesn't have any more access to my internal net than the outside world.
What's missing here?


What's missing is several years of firewalling architecture discussions 
which have built up some commonly used terminology.

I really don't mean to be a jerk about this (I get to be a jerk at work
enough that I don't need to act like that on mail lists to meet my daily
recommended allowance).  In fact, I've enjoyed your recent postings and
learned quite a bit these past couple of days.  But please don't tell me

how

I can define a term.  As long as everyone with whom I speak knows how I

use

the term, it should be fine.  I do know now what you mean by DMZ, but I


This causes ambiguity.  There's _more than enough_ ambiguity with terms 
such as "firewall", we really don't need more.

don't use the term the same.  As long as we know this about each other,

we

can communicate effectively, and that is where we really need to be.


I'd question how effectively you can communicate, or what you do to a 
field by redefining terms to suit an individual whim.

If I tell my mechanic that the spark plug wire is bad, and I mean the 
previously established definition of spark plug wire which I and my
friends 
use to mean "left indicator bulb", I've added confusion for no great
reason.

Perhaps a better question would be what we gain from your use of a term 
which hasn't traditionally been used in the way in which you seem to want 
to use it.  As far as I can see, we gain ambiguity and confusion.

I'm not the language police, but I probably wouldn't agree to calling it 
"freebled whatsit network four" either.

Paul
--------------------------------------------------------------------------
---
Paul D. Robertson      "My statements in this message are personal
opinions
proberts () clark net      which may have no basis whatsoever in fact."
 
PSB#9280

Current thread:

RE: DMZ, defined., (continued)
- RE: DMZ, defined. Andrew J. Luca (Jan 21)
- Re: DMZ, defined. Chris Kostick (Jan 21)
  - Re: DMZ, defined. dreamwvr (Jan 26)
- RE: DMZ, defined. graham, randy (Jan 21)
  - RE: DMZ, defined. Paul D. Robertson (Jan 26)
    - RE: DMZ, defined. dreamwvr (Jan 27)
    - RE: DMZ, defined. Paul D. Robertson (Jan 27)
    - Re: DMZ, defined. Joseph S D Yao (Jan 28)
    - RE: DMZ, defined. David LeBlanc (Jan 27)
- Re: DMZ, defined. Jon E. Hetty (Jan 21)
- RE: DMZ, defined. graham, randy (Jan 26)
  - RE: DMZ, defined. Paul D. Robertson (Jan 26)
- RE: DMZ, defined. Ken_Stephens (Jan 26)
  - RE: DMZ, defined. Chris Crozier (Jan 27)
- Re: DMZ, defined. Steve Bellovin (Jan 27)
- RE: DMZ, defined. Glenn Larsson (Jan 28)
  - RE: DMZ, defined. dreamwvr (Jan 29)
- RE: DMZ, defined. Stefan Jon Silverman (Jan 29)
- RE: DMZ, defined. jwalsh (Jan 29)