Your discussion is most welcome. I take no offense. Thank you for your input. I can understand where different people have adopted different definitions to DMZ, but it appears that the firewall industry uses the DMZ to refer those computers made available to the internet. This is backed up by several books I have read on the issue. I know this for a fact, you would not want to remove any internal firewall on your server and then connect it to any of the hardware firewalls I have using their DMZ, especially if its a Microsoft system. The reason I have a software firewall on my desktop is because I sometimes test things that the hardware prevents so I, in theory, connect directly to the internet. I know for a fact I set an internal server on a business server I manage (a windows machine) in the DMZ for a couple of hours to test something and a cracker broke in and destroyed the OS so I had to recover it. I would not put my internal network on the DMZ on any of the routers/firewalls I have. I understand your position and certainly respect it. As long as you are in control of what you are setting up and how, you, no doubt, will be protected, but after this conversation I believe it would be dangerous for either of us to order someone to setup our systems for us without being specific. If you said to set this computer in the DMZ and I told you not to put my server in the DMZ, neither of us would like the end result. Many times I have seen a definition created that somehow the definition became altered or reversed before being accepted by the public. That may be the case with DMZ. You might be from the "old school" and before it was altered. Having given this some more thought I can picture the DMZ as follows. You have the enemy territory, the DMZ, the front line and the back areas. This can be pictured in the computer as the Internet is the enemy territory, the front line is the (hardware) firewall and the back areas are where you are the safest. The DMZ is most dangerous as it is in front of the protection of the front line. Therefore, systems in the DMZ would need to protect themselves. For example, a web server might close all ports but port 80. It would protect itself as best possible and still be isolated from the internal network. Well, that's my adaptation of the picture, for what its worth. Good luck Buck -----Original Message----- From: shrike-list-admin@xxxxxxxxxx [mailto:shrike-list-admin@xxxxxxxxxx] On Behalf Of Rodolfo J. Paiz Sent: Monday, October 06, 2003 9:48 AM To: shrike-list@xxxxxxxxxx Subject: RE: Which Firewall solutions At 07:19 10/6/2003, you wrote: >I am a bit new to Linux, but for the last three years DMZ on a firewall >has represented an open, unprotected address. > ><snip> > >In everything I have read and used, the last place to put a server is >in the DMZ. Well, Buck, you have just run into another well-known advantage of The Linux Way [tm], known as TIMTOWTDI: There Is More Than One Way To Do It. Whatever your sources are, you're welcome to go with what they say or recommend. I, on the other hand, will offer the Internet "an open, unprotected access" to any part of my network over my dead body. Access to my internal network is forbidden entirely, but since I must offer access to my servers (kind of the point of having servers, after all) I try to make sure all traffic to/from my servers is "demilitarized", i.e. no hackers/crackers/script-kiddies welcome. My DMZ and my internal net are both behind a firewall and each separate from the other, with traffic to/from the DMZ very carefully controlled in all directions. I want to prevent someone cracking my servers, but when it happens (hasn't happened yet in five years, but I see it as an inevitable event, it _will_ happen someday), I want to make it just as difficult for them to get into my internal network as it was to get into the server. You don't like my definition...? No problem at all, don't use it. Use any other definition you wish that makes you happy. After all, it's your network. But since this is a discussion list, let's discuss: Your description put mail and web servers (those that need to offer access to the outside) in the DMZ, so (a) I'm not sure why this is "the last place to put a server" and (b) if I can offer both zones (internal and dmz) the protection each deserves and needs, why would I leave one of them bare-ass naked? -- Rodolfo J. Paiz rpaiz@xxxxxxxxxxxxxx -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
