On Fri, 5 Apr 2002 [EMAIL PROTECTED] wrote:
> But that usage creates a problem because the security significance is
> different for each architecture and you often have machines (bastion
> hosts) in the segment outside of firewall (in segment originally coined
> DMZ)as well as in the semi-protected server segment.
It's worse- the context changes depending on infrastructure that isn't
normally depicted in firewall diagrams.
Take for instance:
BR1-SW1-FW1-SW2-FW2-SW3
BR= border router, SW= switch, FW=firewall
In Laura's scenerio, SW1 is a DMZ, but SW2 gets to be a DMZ if it's got
some number of externally accessable servers on it, or it's empty, but it
changes to an internal network if that's where the bulk of the internal
servers and clients sit and SW3 just happens to be the paranoid R&D
department. MODEM builders (what's left of them) didn't stop using the
term BAUD correctly just because the majority of people on the planet misuse it.
Take the also popular[1]-
BR1-SW1-FW1-SW2
| |
SW3-FW2
Where SW3 is a service network with a firewalled connection back to a
single database via FW2. This is architecturally equivalent to the first
scenerio in some instances, with the only differences being routing and
rulesets.
> I normally use the term "external segment" to mean the segment between
> the main firewall and the Internet router and "server segment" or
> "semi-protected segment" to mean the segment holding Internet visible
> servers but which are protected by a firewall. If you have 2 firewalls,
> the segment between them is a "transition segment".
> If we differ so much on the definition of DMZ, it has ceased to have any
> real usefulness and its further use only leads to confusion.
If we're going to term something an architecture, the meaning shouldn't
change when the arrangement of its pieces don't change. Semi-protected is
the term that best describes it without changing its meaning overmuch when
the things around it move or change jobs.
Paul
[1] But not necessarily recommended.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
