> I have to pick semantics here. After all, this is a firewalls list. So,
> that having been said, what you describe here is a "screened subnet"; NOT
> a DMZ!!! This misuse of the term just bugs me. Sorry, I'm better now.
Geoffrey,
you should not post to this list in that manner without some knowledge.
Look at Chapman/Zwicky (which you pretend to cite), Chapter 4.2:
'The screened subnet architecture adds an extra layer of security to the
screened host architecture by adding a perimeter network that further
isolates the internal network from the Internet.'
means: DMZ = perimeter network = screened subnet
It's a quite common approach to unify external router, DMZ (or NIC
towards...), internal router in one machine (though I don't like it
personally for various reasons: e.g. if that machine gets compromised... and
all the traffic to be handled by this machine... but that's not the subject
here).
The only difference to a 'classic DMZ' is that the 'DMZ' is sort of 'within'
the box. There's (or should be...) some screening NIC external - NIC DMZ and
some screening NIC DMZ - NIC internal (or vice versa), anyway: traffic
to/from DMZ in either direction can be /screened/ twice. In those cases
traffic, especially LAN - Internet usually is handled by some sort of proxy
or stateful inspection engine, but /can/ be supported by packet filtering at
the NICs (or routers behind/in front of the bastion host, in those cases
most called the FW itself...)
Enno Rey
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
