If that router in front of the external services is doing any kind of
filtering, then it's a screened subnet which Geoffrey originally argued was
not a DMZ. If it's not doing any kind of filtering than it's not ANY KIND of
"tried and true practice" in my opinion. From Geoffrey's posting, his
definition of DMZ "leaves the DMZ systems unprotected except for there (sic)
own methods". I'd have to contend that every DMZ I've seen at the very least
has some sort of protection that dilineates it from external hosts.
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-----Original Message-----
From: Ric Messier <[EMAIL PROTECTED]>
To: Elizabeth Zwicky <[EMAIL PROTECTED]>; 'geoffrey'
<[EMAIL PROTECTED]>; Micheal Espinola Jr <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Monday, February 07, 2000 11:19 AM
Subject: RE: NT Network Browsing
>A DMZ is a DMZ. It's a common practice of hanging your external servers
>behind the router but in front of your firewall. It keeps your internal
>network protected without having to deal with poking holes in your firewall
>to get your external servers exposed for the services they offer.
>
>It's a tried and true practice. I don't much care what a book has to say
>about it (O'Reilly or otherwise) because I've seen it implemented on
several
>networks I've worked on and I've implemented it myself. Tastes great, less
>filling.
>
>Ric
>
>
>> -----Original Message-----
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]]On Behalf Of Elizabeth Zwicky
>> Sent: Monday, February 07, 2000 11:06 AM
>> To: 'geoffrey'; Micheal Espinola Jr
>> Cc: [EMAIL PROTECTED]
>> Subject: RE: NT Network Browsing
>>
>>
>>
>> As *I* understand it from the O'Reilly firewall book, "DMZ"
>> is another name for "screened subnet". I don't know of
>> any term for what you're describing as a DMZ, but it
>> sounds like a bad idea to me. The definition
>> of "perimeter network" on page 58 is quite explicit about this,
>> I think.
>>
>> Elizabeth Zwicky
>> [EMAIL PROTECTED]
>>
>> > -----Original Message-----
>> > From: geoffrey [mailto:[EMAIL PROTECTED]]
>> > Sent: Saturday, February 05, 2000 11:27 PM
>> > To: Micheal Espinola Jr
>> > Cc: geoffrey; [EMAIL PROTECTED]
>> > Subject: RE: NT Network Browsing
>> >
>> >
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > On Sun, 6 Feb 2000, Micheal Espinola Jr wrote:
>> >
>> > > OK - That being said, what is the difference? I thought a DMZ was a
>> > > screened subnet.
>> >
>> > As I understand the term from the O'Reilly & Bellovin
>> > firewalls books, a
>> > DMZ is all the systems which are set in the same address space as the
>> > firewall; not hanging off of it from a third NIC. The third NIC subnet
>> > allows for the firewall to afford some protection to these systems,
>> > whereas my definition leaves the DMZ systems unprotected
>> > except for there
>> > own methods. See what I mean?
>> >
>> > geoffrey
>> > +++++++++++++++++++++++++++++++++++
>> >
>> > Two hundred ... forty dollars ...
>> > worth of puddin'! Aaah yeaaah!
>> >
>> > ++++++++++++++++++++++++++++++++++
>> > Key fingerprint ===> 3B5C 0F9E 4CE0 EEA7 980B 6F43 B342 23C8
>> > EF21 48DF
>> > Public key available upon request.
>> >
>> > -----BEGIN PGP SIGNATURE-----
>> > Version: PGP for Personal Privacy 5.0
>> > Charset: noconv
>> >
>> > iQA/AwUBOJ0iSbNCI8jvIUjfEQKhYgCdHoIuNelteodAwtRDpfmE2pfzlDYAoK0A
>> > DRHXYF2yrBohTvl3EvxPp170
>> > =Eenk
>> > -----END PGP SIGNATURE-----
>> >
>> > -
>> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> > "unsubscribe firewalls" in the body of the message.]
>> >
>> -
>> [To unsubscribe, send mail to [EMAIL PROTECTED] with
>> "unsubscribe firewalls" in the body of the message.]
>>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
