DMZ confusion

DMZ confusion

Post by Einar Bordewic » Fri, 26 Nov 1999 04:00:00



Until recently, my understandings was that DMZ (demilitarized zone) is a 3rd
interface in a firewall configuration, with legal addressed
host/networks/sub-network, where these servers/hosts is publicly accessible
but secured from the GWO (great wide open).

I've now been told, that DMZ must be considered as a zone where f.ex.
internet is connected through a router (according to f.ex. Linux
Firewall-HOWTO). If DMZ can have a non-secured connection to internet(GWO),
then DMZ=GWO and the mess is fulfilled.

OK! What exactly is DMZ, is it another name for GWO, or is it a 3rd
interface controlling external services that you want to "secure"?

I guess the answeres can go both ways, so I then guess that the correct
answere would be in a figurative sense of the military word "demilitarized".
So if someone can explain to me the (military) meening of demilitarized,
this would also help.

BTW: Those TLA's is just lovely, don't you think. It realy gives the
impression that you know what you are talking about ;)

regards
--
-------------------------------------------------------------------
IDG New Media     Einar Bordewich
System Manager   Phone: +47 2205 3034

-------------------------------------------------------------------

 
 
 

DMZ confusion

Post by Lars M. Hans » Fri, 26 Nov 1999 04:00:00


On Thu, 25 Nov 1999 10:36:47 +0100, Einar Bordewich spoketh

Quote:>Until recently, my understandings was that DMZ (demilitarized zone) is a 3rd
>interface in a firewall configuration, with legal addressed
>host/networks/sub-network, where these servers/hosts is publicly accessible
>but secured from the GWO (great wide open).

>I've now been told, that DMZ must be considered as a zone where f.ex.
>internet is connected through a router (according to f.ex. Linux
>Firewall-HOWTO). If DMZ can have a non-secured connection to internet(GWO),
>then DMZ=GWO and the mess is fulfilled.

>OK! What exactly is DMZ, is it another name for GWO, or is it a 3rd
>interface controlling external services that you want to "secure"?

>I guess the answeres can go both ways, so I then guess that the correct
>answere would be in a figurative sense of the military word "demilitarized".
>So if someone can explain to me the (military) meening of demilitarized,
>this would also help.

>BTW: Those TLA's is just lovely, don't you think. It realy gives the
>impression that you know what you are talking about ;)

>regards

It is my understanding that the term DMZ refers to a second internal
network (third interface on the firewall) to which a different set of
rules applies (than to your lan). Depending on your rules, the DMZ is
safe (or at least protected) but not as thoroughly as your LAN but
still better off than those machines in the GWO.

It does get a little confusing because even firewall vendors gets the
terms all messed up. Axent, for instance, refers to the GWO as the
DMZ, and the DMZ as "Service Network".

Essentially, if someone manages to hack a machine on your DMZ, it's
not the end of the world, as they will still not have access to your
internal network, anything on the DMZ machine(s) (web server) should
be easily replaced...
LMH
lmhansen (at) mediaone.net
http://people.ne.mediaone.net/lmhansen

 
 
 

DMZ confusion

Post by Einar Bordewic » Fri, 26 Nov 1999 04:00:00


: It does get a little confusing because even firewall vendors gets the
: terms all messed up. Axent, for instance, refers to the GWO as the
: DMZ, and the DMZ as "Service Network".

Exactly my point. It's confusing having a discussion regarding firewall
configs when the terms for the different solutions is mixed up, according to
whatever interpretation your discussion partner have off the terms.

regards

--
-------------------------------------------------------------------
IDG New Media     Einar Bordewich
System Manager   Phone: +47 2205 3034

-------------------------------------------------------------------


Quote:> On Thu, 25 Nov 1999 10:36:47 +0100, Einar Bordewich spoketh

> >Until recently, my understandings was that DMZ (demilitarized zone) is a
3rd
> >interface in a firewall configuration, with legal addressed
> >host/networks/sub-network, where these servers/hosts is publicly
accessible
> >but secured from the GWO (great wide open).

> >I've now been told, that DMZ must be considered as a zone where f.ex.
> >internet is connected through a router (according to f.ex. Linux
> >Firewall-HOWTO). If DMZ can have a non-secured connection to
internet(GWO),
> >then DMZ=GWO and the mess is fulfilled.

> >OK! What exactly is DMZ, is it another name for GWO, or is it a 3rd
> >interface controlling external services that you want to "secure"?

> >I guess the answeres can go both ways, so I then guess that the correct
> >answere would be in a figurative sense of the military word
"demilitarized".
> >So if someone can explain to me the (military) meening of demilitarized,
> >this would also help.

> >BTW: Those TLA's is just lovely, don't you think. It realy gives the
> >impression that you know what you are talking about ;)

> >regards

> It is my understanding that the term DMZ refers to a second internal
> network (third interface on the firewall) to which a different set of
> rules applies (than to your lan). Depending on your rules, the DMZ is
> safe (or at least protected) but not as thoroughly as your LAN but
> still better off than those machines in the GWO.

> It does get a little confusing because even firewall vendors gets the
> terms all messed up. Axent, for instance, refers to the GWO as the
> DMZ, and the DMZ as "Service Network".

> Essentially, if someone manages to hack a machine on your DMZ, it's
> not the end of the world, as they will still not have access to your
> internal network, anything on the DMZ machine(s) (web server) should
> be easily replaced...
> LMH
> lmhansen (at) mediaone.net
> http://people.ne.mediaone.net/lmhansen

 
 
 

DMZ confusion

Post by Lars M. Hans » Fri, 26 Nov 1999 04:00:00


On Thu, 25 Nov 1999 13:43:33 +0100, Einar Bordewich spoketh

Quote:>: It does get a little confusing because even firewall vendors gets the
>: terms all messed up. Axent, for instance, refers to the GWO as the
>: DMZ, and the DMZ as "Service Network".

>Exactly my point. It's confusing having a discussion regarding firewall
>configs when the terms for the different solutions is mixed up, according to
>whatever interpretation your discussion partner have off the terms.

>regards

I can only add that DMZ is _commonly_ used to refer to a network
behind a firewall but separate from your internal LAN.
LMH
lmhansen (at) mediaone.net
http://people.ne.mediaone.net/lmhansen
 
 
 

DMZ confusion

Post by Sandy Whitema » Fri, 26 Nov 1999 04:00:00


Militarily speaking, a DMZ would be territory kept free of battle, either
simply by mutual consent of all factions or with the aid of third-party
peacekeepers.  Needless to say, the expression has very little relevance to
the common computer security usage, which Lars correctly pointed out, as our
"DMZ" is actualy a place *reserved* for battles, a lure of sorts where the
losses incurred would not be as devastating as the penetration of a
company's intranet or internal files and databases.


>Until recently, my understandings was that DMZ (demilitarized zone) is a
3rd
>interface in a firewall configuration, with legal addressed
>host/networks/sub-network, where these servers/hosts is publicly accessible
>but secured from the GWO (great wide open).

>I've now been told, that DMZ must be considered as a zone where f.ex.
>internet is connected through a router (according to f.ex. Linux
>Firewall-HOWTO). If DMZ can have a non-secured connection to internet(GWO),
>then DMZ=GWO and the mess is fulfilled.

>OK! What exactly is DMZ, is it another name for GWO, or is it a 3rd
>interface controlling external services that you want to "secure"?

>I guess the answeres can go both ways, so I then guess that the correct
>answere would be in a figurative sense of the military word
"demilitarized".
>So if someone can explain to me the (military) meening of demilitarized,
>this would also help.

>BTW: Those TLA's is just lovely, don't you think. It realy gives the
>impression that you know what you are talking about ;)

>regards
>--
>-------------------------------------------------------------------
>IDG New Media     Einar Bordewich
>System Manager   Phone: +47 2205 3034

>-------------------------------------------------------------------

 
 
 

DMZ confusion

Post by John McKa » Fri, 26 Nov 1999 04:00:00


Yes.. to have a dmz requires a 3rd interface.  if you only have 2, then life
is either inside/outside or private/public.  with the 3rd, or more as we
have, they become the dmz, or middle.  you can defeat the dmz by
miss-configuration, or demands from it departments.  we run a prod dmz, a
cert dmz, with an inside firewall to a pre-cert segment requiring no fw
access.  rules allow movement from pre-cert to cert, but not prod.  movement
from cert to prod goes through the firewall, along with lotsa of paperwork.
in general... fw rules from the outside/middle, inside/middle.  from outside
to inside... NO. inside to outside.. yes... for internet access (with radius
authentication).


> Until recently, my understandings was that DMZ (demilitarized zone) is a
3rd
> interface in a firewall configuration, with legal addressed
> host/networks/sub-network, where these servers/hosts is publicly
accessible
> but secured from the GWO (great wide open).

> I've now been told, that DMZ must be considered as a zone where f.ex.
> internet is connected through a router (according to f.ex. Linux
> Firewall-HOWTO). If DMZ can have a non-secured connection to
internet(GWO),
> then DMZ=GWO and the mess is fulfilled.

> OK! What exactly is DMZ, is it another name for GWO, or is it a 3rd
> interface controlling external services that you want to "secure"?

> I guess the answeres can go both ways, so I then guess that the correct
> answere would be in a figurative sense of the military word
"demilitarized".
> So if someone can explain to me the (military) meening of demilitarized,
> this would also help.

> BTW: Those TLA's is just lovely, don't you think. It realy gives the
> impression that you know what you are talking about ;)

> regards
> --
> -------------------------------------------------------------------
> IDG New Media     Einar Bordewich
> System Manager   Phone: +47 2205 3034

> -------------------------------------------------------------------

 
 
 

DMZ confusion

Post by Patrick Farrel » Fri, 26 Nov 1999 04:00:00


The DMZ is a seperate zone than your internal network. You can say put the web
server and such on the dmz and have rules set up to protect it but since it has
to have some services like http and maybe ftp open it still has any
vulnerabilities due to flaws in the implimentations of the server.

What this gains you is this, if someone breaches a dmz machine, your internal
network is on a different interface and they can't cross over.

Does that help at all?

Patrick


> Until recently, my understandings was that DMZ (demilitarized zone) is a 3rd
> interface in a firewall configuration, with legal addressed
> host/networks/sub-network, where these servers/hosts is publicly accessible
> but secured from the GWO (great wide open).

> I've now been told, that DMZ must be considered as a zone where f.ex.
> internet is connected through a router (according to f.ex. Linux
> Firewall-HOWTO). If DMZ can have a non-secured connection to internet(GWO),
> then DMZ=GWO and the mess is fulfilled.

> OK! What exactly is DMZ, is it another name for GWO, or is it a 3rd
> interface controlling external services that you want to "secure"?

> I guess the answeres can go both ways, so I then guess that the correct
> answere would be in a figurative sense of the military word "demilitarized".
> So if someone can explain to me the (military) meening of demilitarized,
> this would also help.

> BTW: Those TLA's is just lovely, don't you think. It realy gives the
> impression that you know what you are talking about ;)

> regards
> --
> -------------------------------------------------------------------
> IDG New Media     Einar Bordewich
> System Manager   Phone: +47 2205 3034

> -------------------------------------------------------------------

 
 
 

DMZ confusion

Post by Jim Sha » Sat, 27 Nov 1999 04:00:00


I have come across several uses of the word DMZ including a separate subnet off
a firewall and the subnet immediately behind the internet router.

In both cases the subnet has filtered access through either a firewall rule or a
router ACL. There is potentially more control and stronger auditing possible on
a subnet off a firewall.

The main point though is that a DMZ is a network that servers are permitted
direct access of some sort directly from the Internet, and is one where you
assume that the servers will be attacked and may at any time be compromised. You
do not trust the servers evn though they are yours.

Jim


> Until recently, my understandings was that DMZ (demilitarized zone) is a 3rd
> interface in a firewall configuration, with legal addressed
> host/networks/sub-network, where these servers/hosts is publicly accessible
> but secured from the GWO (great wide open).

> I've now been told, that DMZ must be considered as a zone where f.ex.
> internet is connected through a router (according to f.ex. Linux
> Firewall-HOWTO). If DMZ can have a non-secured connection to internet(GWO),
> then DMZ=GWO and the mess is fulfilled.

> OK! What exactly is DMZ, is it another name for GWO, or is it a 3rd
> interface controlling external services that you want to "secure"?

> I guess the answeres can go both ways, so I then guess that the correct
> answere would be in a figurative sense of the military word "demilitarized".
> So if someone can explain to me the (military) meening of demilitarized,
> this would also help.

> BTW: Those TLA's is just lovely, don't you think. It realy gives the
> impression that you know what you are talking about ;)

> regards
> --
> -------------------------------------------------------------------
> IDG New Media     Einar Bordewich
> System Manager   Phone: +47 2205 3034

> -------------------------------------------------------------------

--

  P.O. Box 10616,
  5-7 Willeston Street, Wellington, New Zealand
  Ph. +64-4-4727218 Fax. +64-4-4727219
 
 
 

DMZ confusion

Post by Derek Morto » Sat, 27 Nov 1999 04:00:00


An attempt at a picture......or maybe just a graphic illustration

                internet                                                        NOT trusted
                        I
        outer firewall
                        I
                DMZ     web servers, email relays (NOT members of any domain)
                        I                                       NOT trusted
        inner firewall
                        I
        internal network                        trusted

Derek


>The DMZ is a seperate zone than your internal network. You can say put the web
>server and such on the dmz and have rules set up to protect it but since it has
>to have some services like http and maybe ftp open it still has any
>vulnerabilities due to flaws in the implimentations of the server.

>What this gains you is this, if someone breaches a dmz machine, your internal
>network is on a different interface and they can't cross over.

>Does that help at all?

>Patrick


>> Until recently, my understandings was that DMZ (demilitarized zone) is a 3rd
>> interface in a firewall configuration, with legal addressed
>> host/networks/sub-network, where these servers/hosts is publicly accessible
>> but secured from the GWO (great wide open).

>> I've now been told, that DMZ must be considered as a zone where f.ex.
>> internet is connected through a router (according to f.ex. Linux
>> Firewall-HOWTO). If DMZ can have a non-secured connection to internet(GWO),
>> then DMZ=GWO and the mess is fulfilled.

>> OK! What exactly is DMZ, is it another name for GWO, or is it a 3rd
>> interface controlling external services that you want to "secure"?

>> I guess the answeres can go both ways, so I then guess that the correct
>> answere would be in a figurative sense of the military word "demilitarized".
>> So if someone can explain to me the (military) meening of demilitarized,
>> this would also help.

>> BTW: Those TLA's is just lovely, don't you think. It realy gives the
>> impression that you know what you are talking about ;)

>> regards
>> --
>> -------------------------------------------------------------------
>> IDG New Media     Einar Bordewich
>> System Manager   Phone: +47 2205 3034

>> -------------------------------------------------------------------

 
 
 

DMZ confusion

Post by Nikola Milutinovi » Sat, 27 Nov 1999 04:00:00



> Until recently, my understandings was that DMZ (demilitarized zone) is a 3rd
> interface in a firewall configuration, with legal addressed
> host/networks/sub-network, where these servers/hosts is publicly accessible
> but secured from the GWO (great wide open).

> I've now been told, that DMZ must be considered as a zone where f.ex.
> internet is connected through a router (according to f.ex. Linux
> Firewall-HOWTO). If DMZ can have a non-secured connection to internet(GWO),
> then DMZ=GWO and the mess is fulfilled.

DMZ is a subnet, accessible from GWO, but which is at least packet-filter
protected.

It can be directly behind the router if the router will do packet filtering (a
good idea, anyway).

It can be on a 3rd interface of the firewall, just like in AltaVista FW98 and
others. In that case, the firewall is supposed to do packet filtering. Of
course, there is no stop for the router to do it as well.

It can even be on the inside net, accessible through proxy, but I have rarely
seen this described as DMZ. Usually, there is no access from the outside to the
inside and monitoreed/controlled access to DMZ.

Nix.
--
... - Borgs i-n-n-n  S-P-A-A-C-C-C-E-E-E-E! -

 
 
 

DMZ confusion

Post by Leif Glering Jense » Sat, 27 Nov 1999 04:00:00



> An attempt at a picture......or maybe just a graphic illustration

>                 internet                                                        NOT trusted
>                         I
>         outer firewall
>                         I
>                 DMZ     web servers, email relays (NOT members of any domain)
>                         I                                       NOT trusted
>         inner firewall
>                         I
>         internal network                        trusted

> Derek

An cheaper and easier way to do it is below.

         ------------
internet-| firewall |-DMZ
         |          |
         |          |-internal
         ------------

--
 o o
  A         Leif G. Jensen
 \_/ Alias: Leif d. lykkelige

 
 
 

DMZ confusion

Post by Ean Kingsto » Sat, 27 Nov 1999 04:00:00


I'm fairly new to the firewall world (only been doing it for 2 years) but
my interpretation of a DMZ (at least the way they taught me) is that
Derek's diagram shows a DMZ but Leif's diagram doesn't.  Also if Derek's
"outer firewall" were replace with a Packet Filtering Router he would
still have a DMZ and there could even be more then one "outer firewall"
connected to the DMZ.

My understanding is that Leif's diagram is showing a firewall with to
"secure" networks.  One which is accessible from the Internet (where you
stick your web servers) and the one he labeled "internal"

I take my network implementation a step ferther and do not allow traffic
from the Internet to stop in the DMZ.  All Internet traffic must go to a
production LAN on a separate interface from the Internal LAN.  This is as
close as I can get to a military like DMZ (since the hostiles can't get
there nor can anything from the Web farm stop there).  I put packet
sniffers and other "catch the badguy" devices in the DMZ.

Here is the way I see the DMZ:

Internet
   |
Packet Filtering Router
   |
 DMZ Segment (if the source address isn't on this segment then
   |          the destination address isn't allowed to be on
   |          this segment)
   |
Firewall---Web Farm
   |
Internal

And I try and keep the managemnt systems (snmp manager, backup server,
remote syslogd server) on a 4th interface off the firewall (not shown).
This means that even if the web farm is compromized they still haven't
gotten to the backup server.  It's a bit difficult to get backup software
that does remote backups by pulling data as opposed to letting the servers
push data but it's a lot more secure.

This design does conveniently turn the DMZ into



> > An attempt at a picture......or maybe just a graphic illustration

Derek's Diagram

Quote:> >                 internet                                                        NOT trusted
> >                         I
> >         outer firewall
> >                         I
> >                 DMZ     web servers, email relays (NOT members of any domain)
> >                         I                                       NOT trusted
> >         inner firewall
> >                         I
> >         internal network                        trusted

> > Derek

> An cheaper and easier way to do it is below.

Leif's Diagram

Quote:>     ------------
> internet-| firewall |-DMZ
>     |          |
>     |          |-internal
>     ------------

--

Ean Kingston
Just another faceless name on the Internet.
URL: http://www.korax.net/~ean

 
 
 

DMZ confusion

Post by Stev » Sun, 28 Nov 1999 04:00:00


Leif,

So, in your configuration below, the machines in the DMZ have a 2nd
NIC which then connects into a switch/hub where the rest of your
servers live. (like the db server for dynamic web pages)

Is this correct:

EXTERNAL         -->    DMZ      -->   INTERNAL
internet---->firewall-->web server-->Switch/Hub<--db server

Thanks for the info.

-steve

On Fri, 26 Nov 1999 12:33:38 +0000, Leif Glering Jensen



>> An attempt at a picture......or maybe just a graphic illustration

>>                 internet                                                        NOT trusted
>>                         I
>>         outer firewall
>>                         I
>>                 DMZ     web servers, email relays (NOT members of any domain)
>>                         I                                       NOT trusted
>>         inner firewall
>>                         I
>>         internal network                        trusted

>> Derek

>An cheaper and easier way to do it is below.

>     ------------
>internet-| firewall |-DMZ
>     |          |
>     |          |-internal
>     ------------

>--
> o o
>  A     Leif G. Jensen
> \_/ Alias: Leif d. lykkelige

 
 
 

DMZ confusion

Post by Don Kellowa » Sun, 28 Nov 1999 04:00:00


There are two common methods of implementing a DMZ. The "modern" DMZ and the
"traditional" DMZ.

"Building Internet Firewalls" written by Chapman and Zwicky (published by
O'Reilly and Associates) covers this topic pretty well.

--
Best Regards, Don Kelloway

For *your* protection, visit http://www.commodon.com/threat to learn about
Back Orifice, NetBus and a few others.  All of which are threats to your
security on the 'net.


>Leif,

>So, in your configuration below, the machines in the DMZ have a 2nd
>NIC which then connects into a switch/hub where the rest of your
>servers live. (like the db server for dynamic web pages)

>Is this correct:

>EXTERNAL         -->    DMZ      -->   INTERNAL
>internet---->firewall-->web server-->Switch/Hub<--db server

>Thanks for the info.

>-steve

>On Fri, 26 Nov 1999 12:33:38 +0000, Leif Glering Jensen


>>> An attempt at a picture......or maybe just a graphic illustration

>>>                 internet
NOT trusted
>>>                         I
>>>         outer firewall
>>>                         I
>>>                 DMZ     web servers, email relays (NOT members of any
domain)
>>>                         I                                       NOT
trusted
>>>         inner firewall
>>>                         I
>>>         internal network                        trusted

>>> Derek

>>An cheaper and easier way to do it is below.

>> ------------
>>internet-| firewall |-DMZ
>> |     |
>> |     |-internal
>> ------------

>>--
>> o o
>>  A     Leif G. Jensen
>> \_/ Alias: Leif d. lykkelige

 
 
 

1. SonicWALL DMZ -- does LAN->DMZ get special treatment?

With SonicWALL DMZ, does the firewall treat connections from the LAN to the
DMZ as special in any way? For example, does it offer additional filtering
rules? Would it facilitate, for instance, "remote" admin from the LAN side,
but not the public Internet? Or is the SonicWALL DMZ simple "two firewalls
in one" and there is nothing else integrated about it. (Not that "two
firewalls in one" is a bad thing...)

Thanks,
-Bill

--
+---------------------------------------------------+

| Development Partners Software Corporation         |
| ~ Consulting, Mentoring, and Software Development |
| ~ Specializing in Windows and Web Technologies    |
| http://devpartners.com                            |
+---------------------------------------------------+

<remove the ".spam.me.not" from email address>

2. 2504 IOS update

3. DMZ or no DMZ

4. PIX /F5 BigIP setup

5. DMZ: what is a DMZ?

6. 3970 Restore Problem

7. Newbie Confusion

8. Multiple web publishing

9. ZoneAlarm version confusion .... ???

10. FW-1 confusion

11. GNATbox tunnels/filter confusion HELP!

12. Interior Router Confusion - Screened Subnet

13. Java-Firewall confusion. Please help.