Re: What is DMZ?
From: Richard H Miller (rick_at_bcm.tmc.edu)
Date: 10/06/03
- Next message: Steven L Umbach: "Re: Why Anti-virus and Firewalls DO WORK"
- Previous message: Mimic: "Re: Why Anti-virus and Firewalls Don't Work"
- In reply to: Lars M. Hansen: "Re: What is DMZ?"
- Next in thread: SA: "Re: What is DMZ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 6 Oct 2003 16:04:48 GMT
Lars M. Hansen (badnews@hansenonline.net) wrote:
: On Sun, 05 Oct 2003 19:46:45 GMT, Duane Arnold spoketh
: >inquisitiveman2002@yahoo.com wrote in news:1d06a7b3.0310051130.46860bb0
: >@posting.google.com:
: >
: >> What is it and how do you set it up in general? I just need to
: >> understand the concepts and then go from there. Thanks
: >>
: >
: >http://www.homenethelp.com/web/explain/port-forwarding-dmz.asp
: >
: >The bottom line is to stay out of the DMZ with a machine at all cost and
: >use port forwarding or port triggering.
: >
: Please don't confuse a DMZ with the "all forward" feature on cheap NAT
: routers. A real DMZ is usually a third network (LAN, WAN, DMZ) with it's
: own set of rules for inbound/outbound traffic, and are generally used
: for services that are available to the public.
Exactly. And you have a specific security policy in place to control access between
machines in the DMZ and machines in the internal network.
The theory here is that you can assume that eventually, no matter how diligant
you are, a machine that is providing a service to people on the internet will be
compromised. With many of the script kiddies, this is all they really want. [Or they
wish to make the server into a zombie].
However, for some crackers, the idea is to become an internal user to a particular
organization and compormising a host enables them to become internal.
This is why DMZ's were originally set-up;to apply a security policy on traffic from
the open hosts to the internal hosts. Thus, the internal network is still not compromised.
This means that the companies security design must mandate that all internal hosts will
have no uncontrolled external exposure. This is also why many companies take a very dim
view of people who attempt to bypass the firewalls.
Also, with many of the larger enterprise grade firewalls, you may have multiple different
security zones;you are not limited to three. The key is to define the ingress/egress policy
for each zone with respect to the other zones and go.
Richard H. Miller, MCSE, CCSE
Information Security Manager
Information Technology Security and Compliance
Information Technology - Baylor College of Medicine
- Next message: Steven L Umbach: "Re: Why Anti-virus and Firewalls DO WORK"
- Previous message: Mimic: "Re: Why Anti-virus and Firewalls Don't Work"
- In reply to: Lars M. Hansen: "Re: What is DMZ?"
- Next in thread: SA: "Re: What is DMZ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
