Firewall Wizards mailing list archives
RE: DMZ, defined.
From: Ken_Stephens () em fcnbd com
Date: Tue, 26 Jan 1999 08:55:12 -0600
I think the point must be that we understand each other when we communicate. We do not need to agree on terms as long as we know the other persons context and meaning. I made the following point on the GreatCircle list several years ago: In the construction industry a "Firewall" is a solid, fire resistant or fireproof surface that protects from fire penetration for some period of time (x number of hours fire rating). In our industry we build "Fire Doors" not "Firewalls". Fire Doors can be unlocked and opened to let traffic flow under some situations (rules), but will still withstand attack for some period of time when closed. If you tried to explain network firewalls to someone in the construction industry, you would be there a long time trying to revise their view. As professionals we must understand that terms may be used in a different context even within our own industry. The only protections we have are diagrams, discussion and an open mind to other points of view. Ken Stephens Standard disclaimer applies "Yes I said it! No my employer didn't say it, may or may not think it or agree to agree with it!" From: "Andrew J. Luca" <andrewluca () mediaone net> AT INTERNET on 01/21/99 07:28 AM To: "'John Kozubik'" <john_kozubik_dc () hotmail com> AT INTERNET@ccmail, <firewall-wizards () nfr net> AT INTERNET@ccmail Subject: RE: DMZ, defined. I completely disagree - except for the part about marketing mucking up the clarity of things. There are many cases that I have seen in which it is perfectly acceptable and even desirable to have a machine stuck between the router and the firewall. This can be a necessity due to performance or the need to share a machine between two organizations without ever wanting to have traffic enter either organization. I think that what we often forget when defining things in such black and white terms is that not all firewalls are attached to the Internet. Of course, this is by far the largest number of firewalls deployed but there are many other uses. I worked for one organization which has developed standards for Intranet, Internet, and Extranet firewalls (now, they don't always follow them but that is another post). In the case of the extranet definition, there are clear needs for a machine to which each company can push FTP files to since neither is willing to let the other pull the files. It makes absolutely no sense to put this machine behind the firewall since you might just as well allow your partner to push the information to the destination machine(s). If we are talking about definitions, I think that the first actual book that I saw DMZ in was the Cheswick/Bellovin text which showed machines existing in the DMZ. While I agree that this is not a product feature any more than a collision domain is a feature of an Ethernet repeater, I think that you should rethink your definition. Andrew Disclaimer: My opinions are mine, all mine. My employer does not endorse my opinions (or even acknowledge that I might have one). Complaints should be forwarded to the source or a null sink. -----Original Message----- From: owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net] On Behalf Of John Kozubik Sent: Tuesday, January 19, 1999 1:19 PM To: firewall-wizards () nfr net Subject: DMZ, defined. Not wanting to really pursue the subject anymore, as I entered simply to point out a matter of fact ... I will quickly define what I think the real definition of 'DMZ' is and why it is being misused by security software firms, users, list subscribers, etc. The DMZ, officially, is the are between the router (or ISDN modem, etc.) and the firewall. The DMZ is _not_ a product feature, as companies like CheckPoint like to make it out to be. Although some firewalls support having a second security policy off of a third NIC going to a group of machines that may be less protected then the 'core' off of the second NIC, it is not really a DMZ, even though they call it that. In this case, those machines are behind the firewall, albeit on a different NIC. Therefore, they cannot be in the DMZ. You may never have _any_ machines in the DMZ. Having a machine in the DMZ is asking for trouble in most cases. Machines in the DMZ are not protected in any way by the firewall, since they are between the firewall and the outside world. This is somewhat of a sore spot with me, as I have personally witnessed IT managers demand that the firewall software being evaluated contain a DMZ 'feature'. I realize that it gets comfusing when the 'real' definition refers to one thing (in this case the area between router and firewall) and other definitions are different - blame this on marketing. What should the area behind the firewall off of the third NIC with a lighter security policy be called?? Well, in keeping with the cool vietnam war throwback terms, I would suggest "holding pen" or maybe even "most of you could define different policies behind the firewall based on IP, and not on subnet, and are therefore wasting a perfectly good NIC". Not all, but most. kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Attachment:
RFC822.TXT
Description: Text - character set unknown
Current thread:
- Re: DMZ, defined., (continued)
- Re: DMZ, defined. dreamwvr (Jan 26)
- RE: DMZ, defined. graham, randy (Jan 21)
- RE: DMZ, defined. Paul D. Robertson (Jan 26)
- RE: DMZ, defined. dreamwvr (Jan 27)
- RE: DMZ, defined. Paul D. Robertson (Jan 27)
- Re: DMZ, defined. Joseph S D Yao (Jan 28)
- RE: DMZ, defined. David LeBlanc (Jan 27)
- RE: DMZ, defined. Paul D. Robertson (Jan 26)
- Re: DMZ, defined. Jon E. Hetty (Jan 21)
- RE: DMZ, defined. graham, randy (Jan 26)
- RE: DMZ, defined. Paul D. Robertson (Jan 26)
- RE: DMZ, defined. Ken_Stephens (Jan 26)
- RE: DMZ, defined. Chris Crozier (Jan 27)
- Re: DMZ, defined. Steve Bellovin (Jan 27)
- RE: DMZ, defined. Glenn Larsson (Jan 28)
- RE: DMZ, defined. dreamwvr (Jan 29)
- RE: DMZ, defined. Stefan Jon Silverman (Jan 29)
- RE: DMZ, defined. jwalsh (Jan 29)