Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999

NFR Wizards Archive: Re: DMZ, defined.

Re: DMZ, defined.

Jon E. Hetty (jehettyonline.no)
Thu, 21 Jan 1999 23:48:13 +0100

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: graham, randy: "RE: DMZ, defined."
Previous message: Andrew J. Luca: "RE: DMZ, defined."
In reply to: John Kozubik: "DMZ, defined."
Next in thread: graham, randy: "RE: DMZ, defined."

Hi there,

One might argue that since the third NIC is not technically 'behind' the
firewall (but simply on the same hardware), that it is in the DMZ.
Also, in my opinion, there is nothing wrong with putting a machine in the
DMZ as long as you know what you are doing. Such a machine can be called a
'sacrificial lamb' for lack of a better word. You just have to accept the
risk of it being hacked and act accordingly.

- Jon

-----Original Message-----
From: John Kozubik <john_kozubik_dchotmail.com>
To: firewall-wizardsnfr.net <firewall-wizardsnfr.net>
Date: 21. januar 1999 00:09
Subject: DMZ, defined.

>
>Not wanting to really pursue the subject anymore, as I entered simply to
>point out a matter of fact ... I will quickly define what I think the
>real definition of 'DMZ' is and why it is being misused by security
>software firms, users, list subscribers, etc.
>
>The DMZ, officially, is the are between the router (or ISDN modem, etc.)
>and the firewall.
>
>The DMZ is _not_ a product feature, as companies like CheckPoint like to
>make it out to be. Although some firewalls support having a second
>security policy off of a third NIC going to a group of machines that may
>be less protected then the 'core' off of the second NIC, it is not
>really a DMZ, even though they call it that. In this case, those
>machines are behind the firewall, albeit on a different NIC. Therefore,
>they cannot be in the DMZ.
>
>You may never have _any_ machines in the DMZ. Having a machine in the
>DMZ is asking for trouble in most cases. Machines in the DMZ are not
>protected in any way by the firewall, since they are between the
>firewall and the outside world.
>
>This is somewhat of a sore spot with me, as I have personally witnessed
>IT managers demand that the firewall software being evaluated contain a
>DMZ 'feature'.
>
>I realize that it gets comfusing when the 'real' definition refers to
>one thing (in this case the area between router and firewall) and other
>definitions are different - blame this on marketing.
>
>What should the area behind the firewall off of the third NIC with a
>lighter security policy be called?? Well, in keeping with the cool
>vietnam war throwback terms, I would suggest "holding pen" or maybe even
>"most of you could define different policies behind the firewall based
>on IP, and not on subnet, and are therefore wasting a perfectly good
>NIC". Not all, but most.
>
>kozubik - John Kozubik - john_kozubikhotmail.com
>PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4
>
>
>______________________________________________________
>Get Your Private, Free Email at http://www.hotmail.com
>

Next message: graham, randy: "RE: DMZ, defined."
Previous message: Andrew J. Luca: "RE: DMZ, defined."
In reply to: John Kozubik: "DMZ, defined."
Next in thread: graham, randy: "RE: DMZ, defined."

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:01 CDT