I was going to quickly jump to Michael's defence, but just to be sure I
checked both resources and found out that the Cheswick & Bellovin book
(Firewalls and Internet Security: Repelling the Wily Hacker) leaves a little
room for interpretation. They define DMZ as "the network inhabited by the
gateway". HOWEVER, their definition of gateway is "a machine or a set of
machines that provides relay services to compensate for the effects of [the]
filter" (as opposed to a bastion host) AND the diagram they draw does
illustrate the gateway(s) network protected by two filters - classic
screened subnet.
And contrary to Geoffrey's citation, the O'Reilly book (I assumed Building
Internet Firewalls by Chapman & Zwicky) defines DMZ as "a network added
between a protected network and an external network, in order to provide an
additional layer of security" - again, a screened subnet.
>On Sun, 6 Feb 2000, Micheal Espinola Jr wrote:
>
>> OK - That being said, what is the difference? I thought a DMZ was a
>> screened subnet.
>
>As I understand the term from the O'Reilly & Bellovin firewalls books, a
>DMZ is all the systems which are set in the same address space as the
>firewall; not hanging off of it from a third NIC. The third NIC subnet
>allows for the firewall to afford some protection to these systems,
>whereas my definition leaves the DMZ systems unprotected except for there
>own methods. See what I mean?
>
>geoffrey
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
