Firewall Wizards mailing list archives
Re: Reverse Proxy on DMZ
From: "Matt McClung" <mmcclung () ndwcorp com>
Date: Tue, 19 Jan 1999 09:44:32 -0700
I don't mind the interjection. I don't know how you tend to setup your 'DMZ's, but for myself, when I create a new network off the firewall - be it DMZ, Extranet, etc - NOTHING is allowed that I don't specifically allow. For instance, if I put a mail relay host on my DMZ I ONLY allow smtp to that box and nothing else. All other traffic is denied. Now, I must admit I do see the servers on the DMZ as quasi-sacrificial boxes, but I don't just allow anyone to do anything on those servers. I don't believe Checkpoint is the one who term the phrase DMZ - in fact I know several FW/Security products which use the term. The whole phrase DeMilitarized Zone does not neccessarily mean that you have no defenses in that area. The term refers to an area which is handled differently (access wise) than your internal LAN. You never allow access into the LAN directly. But you do allow some traffic into the DMZ. Matt McClung -----Original Message----- From: John Kozubik <john_kozubik_dc () hotmail com> To: perry () piermont com <perry () piermont com>; joel_snider () yahoo com <joel_snider () yahoo com>; mmcclung () ndwcorp com <mmcclung () ndwcorp com> Cc: firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Monday, January 18, 1999 4:48 PM Subject: Re: Reverse Proxy on DMZ
I am sorry to interject in the middle of the discussion here, but I must protest the use of the term "DMZ' in relation to separate segments that still remain behind the firewall. The DMZ is not firewalled. The DMZ exists _between_ the firewall and the router/modem/interface. No matter what checkpoint software and assorted other goons packaging neat little things in shiny boxes tell you, the DMZ is not firewalled, or a part of the firewall, or a segment off of the firewall, etc. I don't know what you should call it - certainly some nifty souding throwback to the vietnam war so we can all feel cool, but it is _not_ the DMZ. You may be asking what the point of an area between the firewall and the router is - it is for machines that should not be given any kind of filtering whatsoever. The data collection portion of the Navy's STEP IDS system comes to mind, or the entire portion of NFR. Or you can just put a hub in the DMZ and leave it for machines that you will throw there in case of emergency. If someone tells you they are putting their mail or www server in the DMZ, laugh at them for not firewalling these mission critical machines, or calmly explain to them that the area off of the third NIC in their firewall is _not_ the DMZ. Unless you are from CheckPoint software, in which case you are calling it a DMZ because the marketing goons think it is a 'feature' or something. kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Re: Reverse Proxy on DMZ, (continued)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 12)
- Re: Reverse Proxy on DMZ youngk (Jan 12)
- Re: Reverse Proxy on DMZ Matt McClung, CCSA/CCSE (Jan 13)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 13)
- Re: Reverse Proxy on DMZ Matt McClung, CCSA/CCSE (Jan 13)
- Re: Reverse Proxy on DMZ Perry E. Metzger (Jan 13)
- Re: Reverse Proxy on DMZ John Kozubik (Jan 18)
- Re: Reverse Proxy on DMZ Amos Hayes (Jan 19)
- Re: Reverse Proxy on DMZ Roger Nebel (Jan 20)
- RE: Reverse Proxy on DMZ Andreas Haug (Jan 19)
- Re: Reverse Proxy on DMZ Amos Hayes (Jan 19)
- Re: Reverse Proxy on DMZ Matt McClung (Jan 19)
- Re: Reverse Proxy on DMZ Joseph S D Yao (Jan 20)
- Re: Reverse Proxy on DMZ H . (Jan 21)
- Re: Reverse Proxy on DMZ mike . parsons (Jan 21)