First of all, "old school" <> "old age" (I'm 45). It may very well indicate an old instructor, though. We are in agreement on protecting our servers. We just differ on where the DMZ is. Thanks for the comments. Take care, Buck -----Original Message----- From: shrike-list-admin@xxxxxxxxxx [mailto:shrike-list-admin@xxxxxxxxxx] On Behalf Of Rodolfo J. Paiz Sent: Monday, October 06, 2003 11:00 AM To: shrike-list@xxxxxxxxxx Subject: RE: Which Firewall solutions At 08:19 10/6/2003, you wrote: >I can understand where different people have adopted different >definitions to DMZ, but it appears that the firewall industry uses the >DMZ to refer those computers made available to the internet. Available to the Internet, yes. Subject to direct access on some ports by total strangers and therefore at much higher risk, yes. Bare-assed naked, no. Computers in the DMZ should _also_ have firewall protection; as in your example, my webserver has all but tcp/80 requests blocked from the Internet at the firewall. But by definition they must be accessible, so they have less protection. The key difference from what you and I are saying is that your equipment is leaving the DMZ totally open. I try to protect the DMZ also. I don't use the small SOHO hardware firewalls much, I'm happier using an old P/100 with a minimal RH9 install and configuring iptables with Shorewall. Overall it's much more flexible, and I also then put DNS, DHCP, and NTP service on that firewall box so it pretty much runs the network automatically. >You might be from the "old school" and before it was altered. <laugh> Well, at age 31 and in this arena I suppose it was only a matter of time before someone started calling me old. >The DMZ is most dangerous as it is >in front of the protection of the front line. Using that analogy, then the DMZ has no protection at all. In that case, the enemy roams the DMZ freely. And that's not very "demilitarized" is it? >Therefore, systems in the >DMZ would need to protect themselves. For example, a web server might >close all ports but port 80. It would protect itself as best possible >and still be isolated from the internal network. All servers should protect themselves. But why not _also_ protect them with a firewall? -- Rodolfo J. Paiz rpaiz@xxxxxxxxxxxxxx -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list