RE: DMZ, defined.

["graham, randy" <randy_graham () hq dla mil>]

So now we have a language expert.  This talk about what a DMZ "really" is
seems to miss one extremely important feature of language - change.  Just
check out the OED (Oxford English Dictionary) sometime.  The meaning of a
word changes over time.  John, you no more have the right to give an
absolute definition than anyone else here.  I think beyond saying that the
DMZ is a less heavily protected region somewhere in our network arena (and
even some people might disagree with this broad use), we really aren't going
to have a general agreement on where exactly the DMZ goes.

So an area behind a/the firewall off a third NIC cannot be called a DMZ.
Why not?  Because you don't want to call it that?  I put some equipment
there, leave it open to a lot of abuse because I have to so my machines
there work, but try to offer some protection.  Why can't I call this a DMZ
if that's what I think of as the DMZ?  It is fairly open, but I restrict
what I can.  I track as well as I can what goes in and out there.  It
doesn't have any more access to my internal net than the outside world.
What's missing here?

I really don't mean to be a jerk about this (I get to be a jerk at work
enough that I don't need to act like that on mail lists to meet my daily
recommended allowance).  In fact, I've enjoyed your recent postings and
learned quite a bit these past couple of days.  But please don't tell me how
I can define a term.  As long as everyone with whom I speak knows how I use
the term, it should be fine.  I do know now what you mean by DMZ, but I
don't use the term the same.  As long as we know this about each other, we
can communicate effectively, and that is where we really need to be.

Randy Graham

> -----Original Message-----
> From: John Kozubik [SMTP:john_kozubik_dc () hotmail com]
> Sent: Tuesday, January 19, 1999 1:19 PM
> To:   firewall-wizards () nfr net
> Subject:      DMZ, defined.
>
>
> Not wanting to really pursue the subject anymore, as I entered simply to 
> point out a matter of fact  ...  I will quickly define what I think the 
> real definition of 'DMZ' is and why it is being misused by security 
> software firms, users, list subscribers, etc.
>
> The DMZ, officially, is the are between the router (or ISDN modem, etc.) 
> and the firewall.  
>
> The DMZ is _not_ a product feature, as companies like CheckPoint like to 
> make it out to be.  Although some firewalls support having a second 
> security policy off of a third NIC going to a group of machines that may 
> be less protected then the 'core' off of the second NIC, it is not 
> really a DMZ, even though they call it that.  In this case, those 
> machines are behind the firewall, albeit on a different NIC.  Therefore, 
> they cannot be in the DMZ.
>
> You may never have _any_ machines in the DMZ.  Having a machine in the 
> DMZ is asking for trouble in most cases.  Machines in the DMZ are not 
> protected in any way by the firewall, since they are between the 
> firewall and the outside world.
>
> This is somewhat of a sore spot with me, as I have personally witnessed 
> IT managers demand that the firewall software being evaluated contain a 
> DMZ 'feature'.
>
> I realize that it gets comfusing when the 'real' definition refers to 
> one thing (in this case the area between router and firewall) and other 
> definitions are different - blame this on marketing.  
>
> What should the area behind the firewall off of the third NIC with a  
> lighter security policy be called??  Well, in keeping with the cool 
> vietnam war throwback terms, I would suggest "holding pen" or maybe even 
> "most of you could define different policies behind the firewall based 
> on IP, and not on subnet, and are therefore wasting a perfectly good 
> NIC".  Not all, but most.
>
> kozubik - John Kozubik - john_kozubik () hotmail com
> PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4
>
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com