From owner-freebsd-net@FreeBSD.ORG Wed Oct 3 18:47:31 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DFF2D16A418 for ; Wed, 3 Oct 2007 18:47:31 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from smtp3.utdallas.edu (smtp3.utdallas.edu [129.110.10.49]) by mx1.freebsd.org (Postfix) with ESMTP id A841413C447 for ; Wed, 3 Oct 2007 18:47:31 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from utd59514.utdallas.edu (utd59514.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTP id 4FC2565507 for ; Wed, 3 Oct 2007 13:22:06 -0500 (CDT) Date: Wed, 03 Oct 2007 13:22:05 -0500 From: Paul Schmehl To: freebsd-net@freebsd.org Message-ID: <80304F2FE5F437924A638955@utd59514.utdallas.edu> In-Reply-To: <47038673.9020403@seclark.us> References: <47038673.9020403@seclark.us> X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Re: are DMZ's out of vogue X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Oct 2007 18:47:32 -0000 --On Wednesday, October 03, 2007 08:09:23 -0400 Stephen Clark wrote: > Hi List, > > Our in house network configuration is using FreeBSD for our firewall. We > currently have it setup with > 3 interfaces a public, private and DMZ. We our moving to a new facility > and our network engineer > says nobody is using DMZs any more and wants to just do NAT redirects > from our FreeBSD firewall > to servers on the private network. These servers were on the DMZ in our > current configuration. > > Does this make sense? Is it true that DMZ's have fallen out of vogue? > Any time someone makes a statement like that, I ask them for attribution. Where did they get this information? Why do they consider it to be reliable? This is the first time I've heard such a statement, and I consider it to be untrustworthy without some sort of pointer to a trusted source that has made the statement and backed it up with statistics. >From strictly a security philosophy standpoint, it sounds crazy. Without going in to great detail, NAT doesn't do a thing for you with regard to protecting machines. Essentially he's advocating removing one layer of defense without providing any reason why it makes sense other than "everybody is doing it". -- Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/