A Professional Internet Security Provider

Timely Security Issues HIPAA Compliance Small Business IT Safety Solutions SNMP and DHCP Web Worms Honeypots SOAP/XML Interfaces Service Offerings Custom VPN Work Security Certification Policy Facilitation Intrusion Detection Systems Integration Other Services Products and Partners Security Toolkit Spam Control Custom Software Partners Resource Library Internet Security Corporation About Us

Why Use a Screening Route and a DMZ host together? A screening router is a matter of fact and a DMZ host is a matter of policy. You can't connect more than one machine to the Internet without a router, that's a matter of fact. You may or not need what a DMZ host offers and that's not a matter of fact. A DMZ host does things that a screening router can not. Such as? If your security policy requires that all internal addresses be concealed, a router can not do that. If your security policy requires that there be single signon, a screening router can not do that. If your security policy requires that ports or addresses be translated, a screening router can not do that. Let's talk about what a screening router can do, what a DMZ host can do, and why you might want either or both. We realize you arrived here via curiosity about both. An appropriately equipped screening router will fulfill most of an access policy. You can configure most modern routers to pass or drop network packets from the Internet based on address and port criteria that you specify. This is a matter of fact. Let's expand the explanation briefly to illustrate a matter of policy. If the policy requires that no packets be passed for a protocol (notably udp) other than for an embedded service (notably NFS) or that outbound service requests all bear the same network address, a screening router will flunk each of those tests. A DMZ host can reach either objective, but it is important to understand the difference between facts and policy. Here's where a combination DMZ host and screening router are really the best approach: the security policy requires concealing the protected network(s), the Internet identity appears to be a single network host. The other case is where end to end encryption is required beyond the capability of a screening router. This varies from manufacturer to manufacturer: please make sure you choose carefully. Let's go back to the opening sentence. Why would you want to combine a DMZ host and a screening router? It's a matter of security policy. Are you as tired of reading that as I am of writing it? I thought so... If your security policy doesn't require anything that a screening router can not do, you do not need a DMZ host. It's that simple. If your security policy requires something that can only be done by a DMZ host, you need one. How To Reach Us

---

webmaster@internet-security-corp.com

Last modified: Thu Jun 27 18:57:06 PDT 2002