One of the things to notice in "building Internet Firewalls" is that the dotted line
around the "firewall" included the perimeter network, screening routers and bastion
hosts. A DMZ in their terminology is PART of a firewall, not separate from it.
There is a difference between the diagram given by Laura below and Chapman and
Zwicky's definition. The difference is between a single machine and a system of
machines. Since that book was written, separate machines are more often used for
firewalls than groups of screening routers, so the architecture described in that book:
Internet---[screening router]---- Perimeter Network or DMZ----[screening
router]---Internal
(Building Internet Firewalls Edition 1, page 68)
is now often
Internet--[screening router/ stateful FW]---perimeter network---[proxy
firewall]---Internal
| |
[bastion hosts] semi-protected
segment
|
[public servers]
Where bastion hosts are hardened servers running single services such as DNS or SMTP
or such while [public servers] have web pages with databases etc. (more complex
services).
The simplistic view of the 1995 book has been replaced by much more sophisticated
designs and the term DMZ really no longer applies without confusion.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of rich johnson
Sent: Sun April 07 2002 16:50
To: [EMAIL PROTECTED]
Subject: Re: Firewalls digest, Vol 1 #650 - 9 msgs
On Saturday 06 April 2002 21:56, you wrote:
> Okay, I think that perhaps there is misunderstanding as to what my
> *extremely* simple statement meant, due in no small part to its constant
> intentional misinterpretation on the part of another. *This* is what I was
> describing:
>
> Internet-----Firewall-----DMZ-----Firewall-----<[see below]
>
>
> Paul
On page 58 of Chapman and Zwicky's Nov95 edition of "Building Internet
Firewalls," the authors define:
<i>Perimiter Network</i>
A network added between a protected network and an external network, in
order to provide an additional layer of security. A Perimiter network
is sometimes called a DMZ, which stands for <i>De-Militarized Zone</i>
(named after the zone separating North and South Korea.
In other words, the topology described by Robinson above:
Internet-----Firewall-----DMZ-----Firewall-----[private network]
properly illustrates the DMZ. The basic notion that there are two
firewalls to penetrate to get to the private network illustrates the
DMZ notion. The network topology that Roberrtson ascribes to "DMZ" is
what Chapman and Zwicky describe as a "merged interior and exterior
router". Check out the diagram on page 73 of "Building Internet Firewalls"
for more details. The obvious weakness with this architecture is that only
one router needs to be compromised to gain access to two networks (one
that presumably has the company jewels in it).
I would suggest to anyone that has followed this sometime inflammatory
thread that they read Chapman and Zwicky's Chapter 4 entirely. It provides a
fine context to sort through some of the posts made on this list.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
