Very Computer

Until recently, my understandings was that DMZ (demilitarized zone) is a 3rd
interface in a firewall configuration, with legal addressed
host/networks/sub-network, where these servers/hosts is publicly accessible
but secured from the GWO (great wide open).

I've now been told, that DMZ must be considered as a zone where f.ex.
internet is connected through a router (according to f.ex. Linux
Firewall-HOWTO). If DMZ can have a non-secured connection to internet(GWO),
then DMZ=GWO and the mess is fulfilled.

OK! What exactly is DMZ, is it another name for GWO, or is it a 3rd
interface controlling external services that you want to "secure"?

I guess the answeres can go both ways, so I then guess that the correct
answere would be in a figurative sense of the military word "demilitarized".
So if someone can explain to me the (military) meening of demilitarized,
this would also help.

BTW: Those TLA's is just lovely, don't you think. It realy gives the
impression that you know what you are talking about ;)

regards
--
-------------------------------------------------------------------
IDG New Media     Einar Bordewich
System Manager   Phone: +47 2205 3034

-------------------------------------------------------------------

On Thu, 25 Nov 1999 10:36:47 +0100, Einar Bordewich spoketh

Quote:>Until recently, my understandings was that DMZ (demilitarized zone) is a 3rd
>interface in a firewall configuration, with legal addressed
>host/networks/sub-network, where these servers/hosts is publicly accessible
>but secured from the GWO (great wide open).

>I've now been told, that DMZ must be considered as a zone where f.ex.
>internet is connected through a router (according to f.ex. Linux
>Firewall-HOWTO). If DMZ can have a non-secured connection to internet(GWO),
>then DMZ=GWO and the mess is fulfilled.

>OK! What exactly is DMZ, is it another name for GWO, or is it a 3rd
>interface controlling external services that you want to "secure"?

>I guess the answeres can go both ways, so I then guess that the correct
>answere would be in a figurative sense of the military word "demilitarized".
>So if someone can explain to me the (military) meening of demilitarized,
>this would also help.

>BTW: Those TLA's is just lovely, don't you think. It realy gives the
>impression that you know what you are talking about ;)

>regards

It is my understanding that the term DMZ refers to a second internal
network (third interface on the firewall) to which a different set of
rules applies (than to your lan). Depending on your rules, the DMZ is
safe (or at least protected) but not as thoroughly as your LAN but
still better off than those machines in the GWO.

It does get a little confusing because even firewall vendors gets the
terms all messed up. Axent, for instance, refers to the GWO as the
DMZ, and the DMZ as "Service Network".

Essentially, if someone manages to hack a machine on your DMZ, it's
not the end of the world, as they will still not have access to your
internal network, anything on the DMZ machine(s) (web server) should
be easily replaced...
LMH
lmhansen (at) mediaone.net
http://people.ne.mediaone.net/lmhansen

: It does get a little confusing because even firewall vendors gets the
: terms all messed up. Axent, for instance, refers to the GWO as the
: DMZ, and the DMZ as "Service Network".

Exactly my point. It's confusing having a discussion regarding firewall
configs when the terms for the different solutions is mixed up, according to
whatever interpretation your discussion partner have off the terms.

regards

--
-------------------------------------------------------------------
IDG New Media     Einar Bordewich
System Manager   Phone: +47 2205 3034

-------------------------------------------------------------------

Quote:> On Thu, 25 Nov 1999 10:36:47 +0100, Einar Bordewich spoketh

> >Until recently, my understandings was that DMZ (demilitarized zone) is a
3rd
> >interface in a firewall configuration, with legal addressed
> >host/networks/sub-network, where these servers/hosts is publicly
accessible
> >but secured from the GWO (great wide open).

> >I've now been told, that DMZ must be considered as a zone where f.ex.
> >internet is connected through a router (according to f.ex. Linux
> >Firewall-HOWTO). If DMZ can have a non-secured connection to
internet(GWO),
> >then DMZ=GWO and the mess is fulfilled.

> >OK! What exactly is DMZ, is it another name for GWO, or is it a 3rd
> >interface controlling external services that you want to "secure"?

> >I guess the answeres can go both ways, so I then guess that the correct
> >answere would be in a figurative sense of the military word
"demilitarized".
> >So if someone can explain to me the (military) meening of demilitarized,
> >this would also help.

> >BTW: Those TLA's is just lovely, don't you think. It realy gives the
> >impression that you know what you are talking about ;)

> >regards

> It is my understanding that the term DMZ refers to a second internal
> network (third interface on the firewall) to which a different set of
> rules applies (than to your lan). Depending on your rules, the DMZ is
> safe (or at least protected) but not as thoroughly as your LAN but
> still better off than those machines in the GWO.

> It does get a little confusing because even firewall vendors gets the
> terms all messed up. Axent, for instance, refers to the GWO as the
> DMZ, and the DMZ as "Service Network".

> Essentially, if someone manages to hack a machine on your DMZ, it's
> not the end of the world, as they will still not have access to your
> internal network, anything on the DMZ machine(s) (web server) should
> be easily replaced...
> LMH
> lmhansen (at) mediaone.net
> http://people.ne.mediaone.net/lmhansen

On Thu, 25 Nov 1999 13:43:33 +0100, Einar Bordewich spoketh

Quote:>: It does get a little confusing because even firewall vendors gets the
>: terms all messed up. Axent, for instance, refers to the GWO as the
>: DMZ, and the DMZ as "Service Network".

>Exactly my point. It's confusing having a discussion regarding firewall
>configs when the terms for the different solutions is mixed up, according to
>whatever interpretation your discussion partner have off the terms.

>regards

I can only add that DMZ is _commonly_ used to refer to a network
behind a firewall but separate from your internal LAN.
LMH
lmhansen (at) mediaone.net
http://people.ne.mediaone.net/lmhansen

Militarily speaking, a DMZ would be territory kept free of battle, either
simply by mutual consent of all factions or with the aid of third-party
peacekeepers.  Needless to say, the expression has very little relevance to
the common computer security usage, which Lars correctly pointed out, as our
"DMZ" is actualy a place *reserved* for battles, a lure of sorts where the
losses incurred would not be as devastating as the penetration of a
company's intranet or internal files and databases.

Yes.. to have a dmz requires a 3rd interface.  if you only have 2, then life
is either inside/outside or private/public.  with the 3rd, or more as we
have, they become the dmz, or middle.  you can defeat the dmz by
miss-configuration, or demands from it departments.  we run a prod dmz, a
cert dmz, with an inside firewall to a pre-cert segment requiring no fw
access.  rules allow movement from pre-cert to cert, but not prod.  movement
from cert to prod goes through the firewall, along with lotsa of paperwork.
in general... fw rules from the outside/middle, inside/middle.  from outside
to inside... NO. inside to outside.. yes... for internet access (with radius
authentication).

The DMZ is a seperate zone than your internal network. You can say put the web
server and such on the dmz and have rules set up to protect it but since it has
to have some services like http and maybe ftp open it still has any
vulnerabilities due to flaws in the implimentations of the server.

What this gains you is this, if someone breaches a dmz machine, your internal
network is on a different interface and they can't cross over.

Does that help at all?

Patrick

I have come across several uses of the word DMZ including a separate subnet off
a firewall and the subnet immediately behind the internet router.

In both cases the subnet has filtered access through either a firewall rule or a
router ACL. There is potentially more control and stronger auditing possible on
a subnet off a firewall.

The main point though is that a DMZ is a network that servers are permitted
direct access of some sort directly from the Internet, and is one where you
assume that the servers will be attacked and may at any time be compromised. You
do not trust the servers evn though they are yours.

Jim

--

  P.O. Box 10616,
  5-7 Willeston Street, Wellington, New Zealand
  Ph. +64-4-4727218 Fax. +64-4-4727219

An attempt at a picture......or maybe just a graphic illustration

                internet                                                        NOT trusted
                        I
        outer firewall
                        I
                DMZ     web servers, email relays (NOT members of any domain)
                        I                                       NOT trusted
        inner firewall
                        I
        internal network                        trusted

Derek

DMZ is a subnet, accessible from GWO, but which is at least packet-filter
protected.

It can be directly behind the router if the router will do packet filtering (a
good idea, anyway).

It can be on a 3rd interface of the firewall, just like in AltaVista FW98 and
others. In that case, the firewall is supposed to do packet filtering. Of
course, there is no stop for the router to do it as well.

It can even be on the inside net, accessible through proxy, but I have rarely
seen this described as DMZ. Usually, there is no access from the outside to the
inside and monitoreed/controlled access to DMZ.

Nix.
--
... - Borgs i-n-n-n  S-P-A-A-C-C-C-E-E-E-E! -

An cheaper and easier way to do it is below.

         ------------
internet-| firewall |-DMZ
         |          |
         |          |-internal
         ------------

--
 o o
  A         Leif G. Jensen
 \_/ Alias: Leif d. lykkelige

I'm fairly new to the firewall world (only been doing it for 2 years) but
my interpretation of a DMZ (at least the way they taught me) is that
Derek's diagram shows a DMZ but Leif's diagram doesn't.  Also if Derek's
"outer firewall" were replace with a Packet Filtering Router he would
still have a DMZ and there could even be more then one "outer firewall"
connected to the DMZ.

My understanding is that Leif's diagram is showing a firewall with to
"secure" networks.  One which is accessible from the Internet (where you
stick your web servers) and the one he labeled "internal"

I take my network implementation a step ferther and do not allow traffic
from the Internet to stop in the DMZ.  All Internet traffic must go to a
production LAN on a separate interface from the Internal LAN.  This is as
close as I can get to a military like DMZ (since the hostiles can't get
there nor can anything from the Web farm stop there).  I put packet
sniffers and other "catch the badguy" devices in the DMZ.

Here is the way I see the DMZ:

Internet
   |
Packet Filtering Router
   |
 DMZ Segment (if the source address isn't on this segment then
   |          the destination address isn't allowed to be on
   |          this segment)
   |
Firewall---Web Farm
   |
Internal

And I try and keep the managemnt systems (snmp manager, backup server,
remote syslogd server) on a 4th interface off the firewall (not shown).
This means that even if the web farm is compromized they still haven't
gotten to the backup server.  It's a bit difficult to get backup software
that does remote backups by pulling data as opposed to letting the servers
push data but it's a lot more secure.

This design does conveniently turn the DMZ into

Derek's Diagram

Quote:> >                 internet                                                        NOT trusted
> >                         I
> >         outer firewall
> >                         I
> >                 DMZ     web servers, email relays (NOT members of any domain)
> >                         I                                       NOT trusted
> >         inner firewall
> >                         I
> >         internal network                        trusted

> > Derek

> An cheaper and easier way to do it is below.

Leif's Diagram

Quote:>     ------------
> internet-| firewall |-DMZ
>     |          |
>     |          |-internal
>     ------------

--

Ean Kingston
Just another faceless name on the Internet.
URL: http://www.korax.net/~ean

Leif,

So, in your configuration below, the machines in the DMZ have a 2nd
NIC which then connects into a switch/hub where the rest of your
servers live. (like the db server for dynamic web pages)

Is this correct:

EXTERNAL         -->    DMZ      -->   INTERNAL
internet---->firewall-->web server-->Switch/Hub<--db server

Thanks for the info.

-steve

On Fri, 26 Nov 1999 12:33:38 +0000, Leif Glering Jensen

There are two common methods of implementing a DMZ. The "modern" DMZ and the
"traditional" DMZ.

"Building Internet Firewalls" written by Chapman and Zwicky (published by
O'Reilly and Associates) covers this topic pretty well.

--
Best Regards, Don Kelloway

For *your* protection, visit http://www.commodon.com/threat to learn about
Back Orifice, NetBus and a few others.  All of which are threats to your
security on the 'net.