On Wednesday 03 July 2002 15:15, Tiago N. Sampaio wrote: > Hello people.... > I am a brazilian basic linux administrator (junior)... > I like to place one dmz in my net but my boss like an arguments for > this... > I find in the net why dmz is better than a simple firewall? > but not found nothing concrete to display to my boss
That is the bad attitude (of your boss)! Firewall doesn't exclude DMZ and vice versa? For one thing, there's no real DMZ without a firewall. ;-) Second, using term like "simple firewall" tells you that he doesn't really care about security or maybe he's simply ignorant. Both cases are very dangerous to the network. Now, I understand that you can't tell your boss he's stupid (in fact, I've just been flamed big time by City Mayor for protecting my IT people, sometimes you just can't avoid such things), so here are few short, strong points for you to think about: 1. firewall shouldn't be simple. It may use simple rules, but they must be complete (like deny all and allow just few ports - it's simple and straightforward, and pretty much complete for most users). 2. DMZ is place to put machines you don't trust - if your servers get compromised, it is by far more dangerous if they're in your network instead of DMZ. 3. using Linux/BSD machines as firewalls, you can get really good security (but not perfect, since there isn't 100% secure product), powerful firewalls and you can implement DMZ for just a few bucks more (or even less, if you can recycle some old PCs as firewalls). This is really cheap and gives you a chance to build quite secure network infrastructure. -- Radoslav Dejanović Radoslav Dejanovic Stručni savjetnik u Senior Associate to Mayor's Office Uredu gradonačelnika City of Zagreb, Croatia Grad Zagreb
