Re: DMZ best practices

["John Kozubik" <john_kozubik_dc () hotmail com>]

> I can think of 2 reasons why you would want to hang machines off a
> third-interface of a firewall, as opposed to off a hub in from of the
> firewall;

(reasons omitted)

Yes - these are perfectly valid.  My point was not that you shouldn't 
hang machines off of a third NIC - in some cases you should.  My point 
was that _if_ you do do that, don't call it a DMZ, because it is not the 
DMZ.

I was haggling not about security policy, but about nomenclature.

As far as keeping www and mail, etc. behind the firewall, note that my 
original email stated "behind _a_ firewall" and your email said they 
should not be kept behind _the_ firewall.  If you only have one 
firewall, then YMMV.  I said _a_ firewall because I wanted to denote 
that mail and www do _not_ belong in the DMZ.  I don't care where you 
put them, and you are correct that putting them behind _THE_ firewall 
may not be such a hot idea, but putting them behind _a_ firewall is 
imperative.  

The DMZ is the area between the router and the firwall.  Don't put 
critical machines of any kind in the DMZ.  The machines hanging off of 
the third NIC do _not_ constitute a DMZ, no matter what your vendor 
tells you.

kozubik - John Kozubik - john_kozubik () hotmail com
PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com