On Thu, 2002-09-12 at 20:29, Ben-Nes Michael wrote: > Hi All > > Small confusion. > > what exactly is DMZ ? > If it is an area between the Internet and the Firewall then its not under > protection of the firewall. > If so what the firewall manage here ? >
The art of security is all about risk hedging and in this case - paritioning the area you protected to seperate permiteres, each with it's own security 'level' and risk. A firewall exists to enforce this seperation in the network level. Many strangers needs to come to drop of packages in a building entrance front desk, just as many stranger need to establish SMTP connection with your mail server. But only a very few specific people need to pass into the offices area of the upper flooor, just like only very few and specific people need to establish TCP connections with your internal network. Someone who is allowed or even unlawfully able to gain entrance to the first floor front desk should not be able to 'escalate' this access to the higher floors offices. Someone who have access to the company mail server (because he sends email to someone in the company) or someone who was able to gain root by using a buffer overflow on the mail server should not be able to pass into the inner network sterile zone where the source code and money records are kept. There are security means and checks (guards, cameras, locks) both in the entrance to the front desk on the first floor and to the upper floors offices, but the rules by which they decide who can pass and who doesn't are different. Likewise the firewall keeps tabs on traffic going in and out the DMZ and the internal network (and between!) but uses different rules to decide who may go where. The area in which the mail and web server (for example) exists must have more permissive rules in order for them to function, but that means that the network area in which these server exists is at a higher risk and must be isolated from the rest of the netwrok, hence the DMZ. "Building Internet Firewalls" is a great book recomended to people interested on the subject: http://www.greatcircle.com/firewalls-book/ <Shamelss plug> And if anyone needs help in setting up a secure enviorment, I know a couple of pros that would be glad to help for a modest fee... :-) </Shameless plug> Gilad. -- Gilad Ben-Yossef <[EMAIL PROTECTED]> http://benyossef.com "We don't need kernel hackers or geniuses, we need good developers who will do what they're told". Famous last words, the collection. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]