Actually, both architectures are the same. It just so happens that
the functionality of a firewall allows it to serve as the boundary
between the outside and the DMZ as well as the boundary between the
DMZ and the inside. In general, the purpose of the DMZ is to prevent
direct traffic between the outside and the inside, and so in both of
your examples, the DMZ is "between" the other two networks.
However, if you have a single FW with three interfaces, it allows you
to build a traditional DMZ-based structure (forcing packets to always
pass through the DMZ) or to let some traffic bypass the DMZ entirely.
Although both are functionally the same, the 3-legged approach allows
traffic to pass from outside to inside without ever being visible to
DMZ-based systems. In this way, it can be considered "more secure."
But since you have a single point of failure, some people may consider
it less secure...
paul
---------------------------------------------------------
Paul A. McNabb, CISSP Argus Systems Group, Inc.
Senior Vice President and CTO 1809 Woodfield Drive
[EMAIL PROTECTED] Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433 "Securing the Future"
---------------------------------------------------------
> From: Paul Gracy <[EMAIL PROTECTED]>
> Date: Wed, 9 Feb 2000 16:52:48 -0500
>
> If you look at the most prominent DMZ in the world (Korea), you will see
> that it is an area BETWEEN two enemies. There is no screening or other
> protection between either Korea and the DMZ. Thus, it is not completely
> unreasonable to define it like this:
>
> net
> |
> |
> router
> |
> |
> DMZ
> |
> |
> firewall
> |
> |
> inside network
>
> This does in fact qualify as "a network added
> between a protected network and an external network, in order to provide an
> additional layer of security", albeit some would argue it is a weak
> qualification.
>
> However, in my experience, *most* firewall people view this as the standard
> architecture:
>
> net
> |
> |
> router
> |
> |
> outside network
> |
> |
> firewall >> DMZ
> |
> |
> inside network
>
> So, I propose that both are valid explanations / definitions of a DMZ.
>
> Thus, when you ask a question about the DMZ, simply specify:
>
> I'm using an Acme firewall-77 in the DMZ (third leg), and want to make it
> do....
> OR
> I'm using an Acme firewall-77 in the DMZ ('tween net router and firewall),
> and want to make it do....
>
> And, yeah, if you have control of it or can convince your ISP to change it,
> you add whatever helpful screening rules you can to the outside router. But
> that's not always possible.
>
> my two cents.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
