Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK

Subject:	Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK
From:	David Gillett <gillettdavid AT FHDA DOT EDU>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 25 Apr 2005 14:09:45 -0700

  A DMZ is a subnet with a relatively permissive ruleset between it
and the Internet, and a very restrictive ruleset between it and the
enterprise's internal network.  Any solution that doesn't deliver at
least that much is clearly NOT a "DMZ" of any sort.
  (Yes, it bugs me when manufacturers of SOHO routers refer to port
forwarding as "DMZ"....)

  A "real DMZ", as described below (and I don't know if that's what
the original poster meant by the term...) implements this right down
to the physical layer, with these two rulesets executed on different
pieces of hardware and an additional hop penalty for all traffic
between the internal network and the Internet.  No fair using a VLAN,
either -- a physical DMZ needs its own dedicated switch, too.  (That's
a good idea in any case, but if you don't do that than your segments
aren't physically separated after all, which seems to be the objective.)

  The minimum additional costs associated with a "real DMZ" are clear.
The additional security benefit is dubious.
  Yes, you can increase security by having two layered firewalls -- of
different sorts, which adds a cost of extra management complexity to the
hardware and performance costs already enumerated.  Do you stipulate this
as a requirement of any "real DMZ", further increasing the cost?
  Even if the two firewalls use the same "engine", the fact that traffic
between the Internet and the internal network gets filtered in two places
can make debugging filter configuration errors an extra challenge.
  But note also that forcing internal<->Internet traffic to traverse a
physical DMZ segment may make it vulnerable to being sniffed by a
compromised host in the DMZ -- a risk not present in the three-legged
topology.

David Gillett


> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]On Behalf Of Crist
> Clark
> Sent: Monday, April 25, 2005 11:18 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK
>
>
> A "real" DMZ is one whose physical layout resembles
> demilitarized zones
> in the real world. In the real world, a DMZ is some territory free
> significant military fortifications between you and some
> hostile territory,
> buffer zone. The classic real-world example of a DMZ is the
> North-South
> Korean border. A few hundred meters of no-man's land between heavily
> fortified defensive positions.
>
> In the networking world a "real" DMZ follows the same layout,
>
>                 Internet
>             (hostile network)
>                     |
>                 --------- Your network border router, that may
>                      |          be doing some firewalling.
>                    DMZ
>                     |
>                 --------- Your internal border router, definately
>                      |          doing heavy firewalling.
>                 Internal
>                  Network
>
> A network on a third leg off of your firewall doesn't fit
> this physical
> DMZ analogy since you have one single set of heavy defenses protecting
> both your internal network and the "service network." It is not truly
> layered like a real-world DMZ.
> --
> Crist J. Clark
> crist.clark AT globalstar DOT com
> Globalstar Communications
> (408) 933-4387
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] TRUE DMZ VS. SERVICE NETWORK, Garner, Annette K BETH Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK, Neil Kemp Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK, fwguru Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK, Kim Longenbaugh Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK, Hal Dorsman Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK, Wally Hughes Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK, Kim Longenbaugh Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK, Crist Clark Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK, David Gillett <= Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK, Kim, Cameron

Previous by Date:	Re: [FW-1] "failed to open file "objects_5_0.c" too many open files" error, Hill, Lindsay, VF-NZ
Next by Date:	Re: [FW-1] Objects i need to backup, Reinhard Stich
Previous by Thread:	Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK, Crist Clark
Next by Thread:	Re: [FW-1] TRUE DMZ VS. SERVICE NETWORK, Kim, Cameron
Indexes:	[Date] [Thread] [Top] [All Lists]