That is a reasonable fit to the term Paul and I were using, if we consider a
screening router a type of firewall, and the one used in Chapman and Zwicky.
Unfortunately (and the reason I asked for clarification in the original post) others
have used the term for a segment connected separately to the firewall as in
Internet -----[firewall]-------internal
|
DMZ?
This DMZ? has different security characteristics from the others. It routes
differently and the use of the term DMZ for it confuses matters rather than clarifies
them.
The structure you diagram also has some differences from the structure where the
DMZ is directly exposed to the Internet (no ports are filtered and the addressing has
to be public) so the terminology DMZ also is less exact than if it were used for only
one architecture.
The original post asked what whether you could use private addresses in the DMZ that
he was setting up. In the case of a completely exposed bastion host architecture, the
answer is no. In the case of a screened semi-protected segment that you detail, or a
third NIC, the answer is yes, but it has to be a separate subnet from the internal
address (unless you are using a bridging firewall) to achieve routing.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Laura A. Robinson
Sent: Fri April 05 2002 17:21
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Basic DMZ Setup Questions...
> I think that the term DMZ (de-militarized zone which is also called
> no-man's land) loses its useful meaning if it is used for a segment on the
> inside of a firewall. I know that it is commonly used for a semi-protected
> segment on the third NIC of a firewall.
Okay, I think that perhaps there is misunderstanding as to what my
*extremely* simple statement meant, due in no small part to its constant
intentional misinterpretation on the part of another. *This* is what I was
describing:
Internet-----Firewall-----DMZ-----Firewall-----<[see below]
-----< may be connected to two [or more] different networks- at least one of
which is semi-private and the other(s) of which is/are internal.
*Therefore*, what you refer to as a DMZ and what I refer to as a DMZ are no
different. I term the DMZ as outside the internal firewall. You term the DMZ
as outside the *only* firewall. Still a DMZ. The difference is, my DMZ isn't
wide open to the Internet, nor are any semi-private segments.
Laura
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
