Aloha, I'd like to remind everyone to define terms like "DMZ" when having discussions such as this one. Remember that many routers, especially lower-end SOHO routers, offer a "DMZ host" feature that configures Network Address Translation (NAT) in the router so that a particular IP address on the internal LAN is the default for all inbound traffic. Such a router with a DMZ host offers zero security for the LAN if the DMZ host is penetrated/owned from the outside.
The DMZ you seem to be discussing here is a separate network or subnet that is able to receive unsolicited packets from the outside world, connected to another network or subnet protected by a firewall configured to deny all inbound traffic except for TCP packets that pertain to stateful sessions initiated by hosts inside the protected LAN. Sincerely, Jason Coombs [EMAIL PROTECTED] -----Original Message----- From: Volker Kindermann [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 03, 2002 10:02 PM To: Tiago N. Sampaio Cc: [EMAIL PROTECTED] Subject: Re: DMZ Arguments.... Hello Tiago, > I like to place one dmz in my net but my boss like an arguments for > this... > I find in the net why dmz is better than a simple firewall? > but not found nothing concrete to display to my boss building a DMZ because you want to have one is a loss of money and other ressources. A DMZ makes sense in the following scenarios: - You offer some service (web, dns, email, ftp, etc) to the outside world In this case a DMZ is essential because you have to allow access to the servers. If these servers are in your internal net and have some security flaws an attacker is immediately on your internal fileserver, databaseserver, etc and can do a lot of damage. If you have a DMZ with proper configured firewalls the damage is restricted to the failing server or, in a worser case to all machines in the dmz. An article about the benefits of a proper configured DMZ infrastructure can be found here: http://www.linuxsecurity.com/feature_stories/ftp-analysis-part1.html - You need a separated area to do intrusion detection In this case you build an area between two firewalls to monitor traffic in a relavitely sane environment. You may want to place devices here that can cancel malicious connections before they can reach your servers. - You don't trust one firewall-reseller If you don't trust one firewall-reseller (firewall-technique, etc) you can build a "DMZ" while putting two different firewalls in a seriell line. If one device fails, the other might stand the attack. Therefore it is important in any form of DMZ to use two different firewalls on two different Operating Systems. - You won't allow direct connections from your internal LAN to the internet Here you can place proxy machines in the DMZ that does application level firewalling to avoid the incubation of your internal LAN by Viruses, Trojans, etc. Of course, any combination of the above scenarios is possible. hth Volker
