On 5 Apr 2002, at 19:49, Bill Royds wrote: > That is a reasonable fit to the term Paul and I were using, if we > consider a screening router a type of firewall, and the one used > in Chapman and Zwicky. Unfortunately (and the reason I asked for > clarification in the original post) others have used the term for > a segment connected separately to the firewall as in > > > Internet -----[firewall]-------internal > | > DMZ? > > This DMZ? has different security characteristics from the others. > It routes differently and the use of the term DMZ for it confuses > matters rather than clarifies them.
Barring catastrophic defects in the firewall code itself, the primary difference between this and Internet --[firewall1]--DMZ?--[firewall2]--internal is that in the separately-connected segment case, a compromised server in the DMZ? network has *no* possibility of sniffing traffic between the internal net and the outside. (In the two-firewall scenario, the opportunity for this can be reduced by using a switch.) The key point is that the DMZ? segment and the internal segment are separated from each other by a security-policy-enforcement boundary. Whether this boundary, and the boundary between the DMZ? and the Internet, are implemented by the same device is topologically irrelevant. What's NOT irrelevant is whether the security policy boundary between the internal network and the internet is explicitly specified, or arises out of composition of the internal/DMZ? and DMZ?/Internet boundaries. A debatable question is whether the composition case is really "more secure", or merely "harder to manage and, as a consequence, harder to accidentally leave hanging open". (It has been suggested that there is some benefit to compositing two different firewall technologies, but the usually recommendation in that case is to use a packet filter for [firewall1] and an application proxy for [firewall2] FOR PERFORMANCE REASONS. It seems to me that if our primary concern is defensive security (as opposed to content monitoring...), then [firewall1] is where the application proxy is needed, and that a mix of caching and redundancy is the proper way to address the performance consequences.) [Neither of these scenarios is a very good parallel to the original use of the term to refer to real estate around the Korean cease-fire line. If it weren't so late in the day, I'd favor a push to expunge the term "DMZ" entirely from the Network Security vocabulary. I also really dislike router appliance vendors who've begun using "DMZ" to mean "static NAT to a server on the internal network". If you don't have a policy boundary between it and the internal network, it's not a "DMZ" by *any* sane definition.] Dave Gillett _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
