RE: DMZ, defined.

[Ken_Stephens () em fcnbd com]

I think the point must be that we understand each other when we
communicate.  We do not need to agree on terms as long as we know the other
persons context and meaning.  I made the following point on the GreatCircle
list several years ago:

In the construction industry a "Firewall" is a solid, fire resistant or
fireproof surface that protects from fire penetration for some period of
time (x number of hours fire rating).  In our industry we build "Fire
Doors" not "Firewalls".  Fire Doors can be unlocked and opened to let
traffic flow under some situations (rules), but will still withstand attack
for some period of time when closed.  If you tried to explain network
firewalls to someone in the construction industry, you would be there a
long time trying to revise their view.

As professionals we must understand that terms may be used in a different
context even within our own industry.  The only protections we have are
diagrams, discussion and an open mind to other points of view.

Ken Stephens

Standard disclaimer applies
"Yes I said it!
No my employer didn't say it, may or may not think it or agree to agree
with it!"






From: "Andrew J. Luca" <andrewluca () mediaone net> AT INTERNET on 01/21/99
      07:28 AM

To:   "'John Kozubik'" <john_kozubik_dc () hotmail com> AT INTERNET@ccmail,
      <firewall-wizards () nfr net> AT INTERNET@ccmail

Subject:  RE: DMZ, defined.




I completely disagree - except for the part about marketing mucking up the
clarity of things.

        There are many cases that I have seen in which it is perfectly
acceptable
and even desirable to have a machine stuck between the router and the
firewall.  This can be a necessity due to performance or the need to share
a machine between two organizations without ever wanting to have traffic
enter
either organization.  I think that what we often forget when defining
things
in such black and white terms is that not all firewalls are attached to the
Internet.  Of course, this is by far the largest number of firewalls
deployed but there are many other uses.

I worked for one organization which has developed standards for Intranet,
Internet, and Extranet firewalls (now, they don't always follow them but
that is another post).  In the case of the extranet definition, there are
clear needs for a machine to which each company can push FTP files to since
neither is willing to let the other pull the files.  It makes absolutely no
sense to put this machine behind the firewall since you might just as well
allow your partner to push the information to the destination machine(s).

If we are talking about definitions, I think that the first actual book
that
I saw DMZ in was the Cheswick/Bellovin text which showed machines existing
in the DMZ.  While I agree that this is not a product feature any more than
a collision domain is a feature of an Ethernet repeater, I think that you
should rethink your definition.

Andrew

Disclaimer: My opinions are mine, all mine.  My employer does not endorse
my opinions (or even acknowledge that I might have one).  Complaints should
be forwarded  to the source or a null sink.

-----Original Message-----
From:        owner-firewall-wizards () nfr net
[mailto:owner-firewall-wizards () nfr net]
On Behalf Of John Kozubik
Sent:        Tuesday, January 19, 1999 1:19 PM
To:        firewall-wizards () nfr net
Subject:        DMZ, defined.


Not wanting to really pursue the subject anymore, as I entered simply to
point out a matter of fact  ...  I will quickly define what I think the
real definition of 'DMZ' is and why it is being misused by security
software firms, users, list subscribers, etc.

The DMZ, officially, is the are between the router (or ISDN modem, etc.)
and the firewall.

The DMZ is _not_ a product feature, as companies like CheckPoint like to
make it out to be.  Although some firewalls support having a second
security policy off of a third NIC going to a group of machines that may
be less protected then the 'core' off of the second NIC, it is not
really a DMZ, even though they call it that.  In this case, those
machines are behind the firewall, albeit on a different NIC.  Therefore,
they cannot be in the DMZ.

You may never have _any_ machines in the DMZ.  Having a machine in the
DMZ is asking for trouble in most cases.  Machines in the DMZ are not
protected in any way by the firewall, since they are between the
firewall and the outside world.

This is somewhat of a sore spot with me, as I have personally witnessed
IT managers demand that the firewall software being evaluated contain a
DMZ 'feature'.

I realize that it gets comfusing when the 'real' definition refers to
one thing (in this case the area between router and firewall) and other
definitions are different - blame this on marketing.

What should the area behind the firewall off of the third NIC with a
lighter security policy be called??  Well, in keeping with the cool
vietnam war throwback terms, I would suggest "holding pen" or maybe even
"most of you could define different policies behind the firewall based
on IP, and not on subnet, and are therefore wasting a perfectly good
NIC".  Not all, but most.

kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Attachment: RFC822.TXT
Description: Text - character set unknown