Firewall Wizards mailing list archives
RE: DMZ, defined.
From: "graham, randy" <randy_graham () hq dla mil>
Date: Thu, 21 Jan 1999 09:47:37 -0500
So now we have a language expert. This talk about what a DMZ "really" is seems to miss one extremely important feature of language - change. Just check out the OED (Oxford English Dictionary) sometime. The meaning of a word changes over time. John, you no more have the right to give an absolute definition than anyone else here. I think beyond saying that the DMZ is a less heavily protected region somewhere in our network arena (and even some people might disagree with this broad use), we really aren't going to have a general agreement on where exactly the DMZ goes. So an area behind a/the firewall off a third NIC cannot be called a DMZ. Why not? Because you don't want to call it that? I put some equipment there, leave it open to a lot of abuse because I have to so my machines there work, but try to offer some protection. Why can't I call this a DMZ if that's what I think of as the DMZ? It is fairly open, but I restrict what I can. I track as well as I can what goes in and out there. It doesn't have any more access to my internal net than the outside world. What's missing here? I really don't mean to be a jerk about this (I get to be a jerk at work enough that I don't need to act like that on mail lists to meet my daily recommended allowance). In fact, I've enjoyed your recent postings and learned quite a bit these past couple of days. But please don't tell me how I can define a term. As long as everyone with whom I speak knows how I use the term, it should be fine. I do know now what you mean by DMZ, but I don't use the term the same. As long as we know this about each other, we can communicate effectively, and that is where we really need to be. Randy Graham
-----Original Message----- From: John Kozubik [SMTP:john_kozubik_dc () hotmail com] Sent: Tuesday, January 19, 1999 1:19 PM To: firewall-wizards () nfr net Subject: DMZ, defined. Not wanting to really pursue the subject anymore, as I entered simply to point out a matter of fact ... I will quickly define what I think the real definition of 'DMZ' is and why it is being misused by security software firms, users, list subscribers, etc. The DMZ, officially, is the are between the router (or ISDN modem, etc.) and the firewall. The DMZ is _not_ a product feature, as companies like CheckPoint like to make it out to be. Although some firewalls support having a second security policy off of a third NIC going to a group of machines that may be less protected then the 'core' off of the second NIC, it is not really a DMZ, even though they call it that. In this case, those machines are behind the firewall, albeit on a different NIC. Therefore, they cannot be in the DMZ. You may never have _any_ machines in the DMZ. Having a machine in the DMZ is asking for trouble in most cases. Machines in the DMZ are not protected in any way by the firewall, since they are between the firewall and the outside world. This is somewhat of a sore spot with me, as I have personally witnessed IT managers demand that the firewall software being evaluated contain a DMZ 'feature'. I realize that it gets comfusing when the 'real' definition refers to one thing (in this case the area between router and firewall) and other definitions are different - blame this on marketing. What should the area behind the firewall off of the third NIC with a lighter security policy be called?? Well, in keeping with the cool vietnam war throwback terms, I would suggest "holding pen" or maybe even "most of you could define different policies behind the firewall based on IP, and not on subnet, and are therefore wasting a perfectly good NIC". Not all, but most. kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- DMZ, defined. John Kozubik (Jan 20)
- WinNT and Firewall-1 Alyea (Jan 21)
- RE: DMZ, defined. Andrew J. Luca (Jan 21)
- <Possible follow-ups>
- Re: DMZ, defined. Chris Kostick (Jan 21)
- Re: DMZ, defined. dreamwvr (Jan 26)
- RE: DMZ, defined. graham, randy (Jan 21)
- RE: DMZ, defined. Paul D. Robertson (Jan 26)
- RE: DMZ, defined. dreamwvr (Jan 27)
- RE: DMZ, defined. Paul D. Robertson (Jan 27)
- Re: DMZ, defined. Joseph S D Yao (Jan 28)
- RE: DMZ, defined. David LeBlanc (Jan 27)
- RE: DMZ, defined. Paul D. Robertson (Jan 26)
- Re: DMZ, defined. Jon E. Hetty (Jan 21)
- RE: DMZ, defined. graham, randy (Jan 26)
- RE: DMZ, defined. Paul D. Robertson (Jan 26)
- RE: DMZ, defined. Ken_Stephens (Jan 26)
- RE: DMZ, defined. Chris Crozier (Jan 27)