-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 6 Feb 2000, Enno Rey wrote:
> you should not post to this list in that manner without some knowledge.
> Look at Chapman/Zwicky (which you pretend to cite), Chapter 4.2:
> 'The screened subnet architecture adds an extra layer of security to the
> screened host architecture by adding a perimeter network that further
> isolates the internal network from the Internet.'
>
> means: DMZ = perimeter network = screened subnet
Correct, I failed to actually go dig up the Chapman/Zwicky book before
posting, and was basing my post on memory from that and
Bellovin/Cheswick. I believe there is room from the Bellovin book to
interpret DMZ either way that has been brought up in this debate ... I
will concede.
> It's a quite common approach to unify external router, DMZ (or NIC
> towards...), internal router in one machine (though I don't like it
> personally for various reasons: e.g. if that machine gets compromised... and
> all the traffic to be handled by this machine... but that's not the subject
> here).
That is precisely what I don't like about the contested DMZ description. I
feel that it gives one an unwarranted sense of security.
> The only difference to a 'classic DMZ' is that the 'DMZ' is sort of 'within'
> the box. There's (or should be...) some screening NIC external - NIC DMZ and
> some screening NIC DMZ - NIC internal (or vice versa), anyway: traffic
> to/from DMZ in either direction can be /screened/ twice. In those cases
> traffic, especially LAN - Internet usually is handled by some sort of proxy
> or stateful inspection engine, but /can/ be supported by packet filtering at
> the NICs (or routers behind/in front of the bastion host, in those cases
> most called the FW itself...)
I try to explain DMZ to people as the machines that lie between the border
router, and the firewall/proxy server. Not exactly protected, but not
entirely at the mercy of script kiddies either. Is it just me, or the list
sending double postings again?
geoffrey
+++++++++++++++++++++++++++++++++++
Two hundred ... forty dollars ...
worth of puddin'! Aaah yeaaah!
++++++++++++++++++++++++++++++++++
Key fingerprint ===> 3B5C 0F9E 4CE0 EEA7 980B 6F43 B342 23C8 EF21 48DF
Public key available upon request.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOJ3dO7NCI8jvIUjfEQLykgCgokWb0d1bVmeBlm/xaPA9mmqL/uIAoK7u
UkoLBxIgBXvH4LrkjBRG8VXb
=jN4H
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
