Hi Edward, there was actually a discussion on this list beginning of february. I attached a copy of two mails at the end (below your mail). You may also try these simple Yahoo request results: http://www.netsys.com/firewalls/firewalls-9606 http://securityportal.com/list-archive/firewall-wizards/1999/Jan/0121.html http://www.nfr.net/firewall-wizards/mail-archive/1999/Jan/0065.html http://www.ssimail.com/Zoneguard.htm http://www.clug.in-chemnitz.de/vortraege/paranoia/node17.html (german) Just my 2 cents. Hope it helps. Good luck! Frank ------------------------------------------------------------------------------------------------------------------------- An: [EMAIL PROTECTED] Thema: Firewall Basic Information? Hi there, Who can give me some website that have basic introduction on firewall? I want to know more on DMZ. Regrads, Edward. 10.02.2000 00:04:11 Actually, both architectures are the same. It just so happens that the functionality of a firewall allows it to serve as the boundary between the outside and the DMZ as well as the boundary between the DMZ and the inside. In general, the purpose of the DMZ is to prevent direct traffic between the outside and the inside, and so in both of your examples, the DMZ is "between" the other two networks. However, if you have a single FW with three interfaces, it allows you to build a traditional DMZ-based structure (forcing packets to always pass through the DMZ) or to let some traffic bypass the DMZ entirely. Although both are functionally the same, the 3-legged approach allows traffic to pass from outside to inside without ever being visible to DMZ-based systems. In this way, it can be considered "more secure." But since you have a single point of failure, some people may consider it less secure... paul > Date: Wed, 9 Feb 2000 16:52:48 -0500 > > If you look at the most prominent DMZ in the world (Korea), you will see > that it is an area BETWEEN two enemies. There is no screening or other > protection between either Korea and the DMZ. Thus, it is not completely > unreasonable to define it like this: > > net > | > | > router > | > | > DMZ > | > | > firewall > | > | > inside network > > This does in fact qualify as "a network added > between a protected network and an external network, in order to provide an > additional layer of security", albeit some would argue it is a weak > qualification. > > However, in my experience, *most* firewall people view this as the standard > architecture: > > net > | > | > router > | > | > outside network > | > | > firewall >> DMZ > | > | > inside network > > So, I propose that both are valid explanations / definitions of a DMZ. > > Thus, when you ask a question about the DMZ, simply specify: > > I'm using an Acme firewall-77 in the DMZ (third leg), and want to make it > do.... > OR > I'm using an Acme firewall-77 in the DMZ ('tween net router and firewall), > and want to make it do.... > > And, yeah, if you have control of it or can convince your ISP to change it, > you add whatever helpful screening rules you can to the outside router. But > that's not always possible. > > my two cents. - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
