DMZ is a mis-nomer, it should be EHF (exposed to hostile fire). Then again, DMZ is a misnomer in most other applications also. DMZ use implies 3 things: a machine that is EHF, a firewall of some type, and a machine (or network of machines) behind the firewall. Suggest: put one machine with one disk in the DMZ but keep a duplicate of that system's drive on another machine that is behind the firewall as a protected drive. When (not if) your EHF machine is compromised, restoring it requires copying the entire disk image from its 'safe house' to the DMZ machine. Updates of the DMZ machine's drive (web page updates) require modifying the protected drive, then updating (man rsync) the DMZ machine's drive from the protected drive. Comments? Brian Brunner brian.t.brunner@xxxxxxxxxxxxxxx (610)796-5838 >>> jwilliams@xxxxxxxxxxxxxx 10/06/03 09:30AM >>> You put information systems in the DMZ that are meant to openly accessible to an unprotected network such as the Internet. Example: www, e-mail, ftp. The purpose of the DMZ is to create a segregated network and having those systems with the most exposure by themselves. If a "hacker" breaks into your www server you have a better chance of the person not being able to adulterate the rest of your network since logically it shouldn't have any ties with your DMZ segment. James Williams Network Systems Engineer -----Original Message----- From: shrike-list-admin@xxxxxxxxxx [mailto:shrike-list-admin@xxxxxxxxxx] On Behalf Of Buck Sent: Monday, October 06, 2003 8:19 AM To: shrike-list@xxxxxxxxxx Subject: RE: Which Firewall solutions I am a bit new to Linux, but for the last three years DMZ on a firewall has represented an open, unprotected address. I sometimes set the DMZ to my computer which has a software firewall so I can do things normally blocked by the firewall. This isn't some fluke as I have used three hardware firewalls and all agree. Also, the book "Red Hat Internet Server" talks about the DMZ and in its description and drawing it agrees. The DMZ is an unprotected area of the network. The diagram used shows the internet, the DMZ and then the firewall. The web server and email server were in the DMZ and the network file server and workstations were all protected by the firewall. In several cases, I found the authors puzzled as to how it was named after the DMZ war zone when it appears to have the opposite meaning from the Viet Nam and Korea wars. In everything I have read and used, the last place to put a server is in the DMZ. Buck -----Original Message----- From: shrike-list-admin@xxxxxxxxxx [mailto:shrike-list-admin@xxxxxxxxxx] On Behalf Of Rodolfo J. Paiz Sent: Monday, October 06, 2003 5:24 AM To: shrike-list@xxxxxxxxxx Subject: RE: Which Firewall solutions DMZ is "demilitarized zone," a term IIRC created in the Vietnam War. Means an area where neither side goes freely and all traffic is watched. You generally put servers in there, so NOTHING comes into your internal network and it is easier to secure: both your internal clients and the people out on the Internet connect to servers in the DMZ. The DMZ servers, in turn, do not need free access to the Internet so you can lock them down more tightly, another improvement to security. This is the way I see it, anyway; it's not a texboot definition. -- Rodolfo J. Paiz rpaiz@xxxxxxxxxxxxxx -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept for the presence of computer viruses. www.hubbell.com - Hubbell Incorporated ********************************************************************** -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
