Letters to Redmond

Readers Respond: August 2005

Linux in a <i>Redmond</i> book; impressive Q&As and a reader who disagreed with our Security Advisor's opinion about DMZs.

Compare, Learn, Improve
Nice to see such a good article (from a purely objective point of view) about Linux desktops on a "Redmond" site [Redmond Roundup, June 2005, "Desktop Linux: Ready for Prime Time?"].

That’s just how it should be: compare, learn and make better desktops.

A happy Debian Linux user,
Thomas van Oostveen
Amstelveen, The Netherlands

Climbing the Food Chain
The Ray Ozzie interview was excellent ["It’s Groove Baby!" July 2005]. You gave him a chance to talk, and his insights were fascinating. Way back when in the early days of Exchange, I suspected that some of the development delays were due to trying to incorporate Notes-like features in the product. And it seemed at the time there were some Ray Ozzie/Notes admirers at Microsoft, which turned out to be true!

It is great to be climbing up the food chain on interviews. The fact that Redmond magazine gives these folks some air time and not just a few chopped up sound bites might encourage others (like the rest of the CTO team) to spend some time with you. If I ran Microsoft’s PR Department, I would always be trying to put more of a human face on the company, and showcase some of the other bright folks they have on the payroll.

Also, the Art Department gets points—the layout, cover shot and use of green and the type treatment—the issue looks fabulous!
Erik Westgard
St. Paul, Minn.

DMZ Shortcomings
In reading Dr. Wettern’s article [July 2005 Security Advisor, "Dump Your DMZ"], I found that his criticism of DMZs was flawed for many reasons. The biggest criticism that stood out as I read the article was that numerous times he blamed the DMZ for issues that related more to server placement and configuration (network-design issues) than the shortcomings of the DMZ. Also, any time you give public access to some part of your network, there are going to be risks. A DMZ helps mitigate, but does not completely negate, these risks. There is only so much a DMZ can do if you design your network poorly.

As someone with a Security+ certification, he should know that a firewall and/or DMZ should not, by itself, be the sole means of securing your network. But, condemning the concept of a DMZ as a valuable security component is absolutely ludicrous.
Jon Banks, MCSE, Security+
Network Security Engineer
Marietta, GA

Thank you for taking the time to reply to my article. I realized that my column would be controversial, and it is certainly turning out that way.

The reason I question the idea of a DMZ is that I regularly review network designs and I see DMZs being used in ways that don’t increase security. They often provide a false sense of security and represent wide open doors into a corporate network. I see these DMZ design problems in small companies, as well as in large, multinational enterprises.

In my opinion, there are only a few protocols that lend themselves to using a DMZ. The prime example is an SMTP relay server, but SMTP is a protocol that has changed little since DMZs were invented. One of my solutions—to what I consider the main shortcomings of DMZs—is better content inspection (which could be done in conjunction with a DMZ). The other actually takes the original idea of a DMZ one step further to provide enhanced traffic control. By using IPsec mutual authentication between hosts (but not necessarily for encryption), a computer can actually confirm that network traffic really originates from the host from which it claims to come. And, because you can use IPsec to block all traffic that doesn’t originate from specific trusted hosts and uses allowed ports, you can create more effective network isolation than what is provided by a traditional DMZ. In other words, I certainly don’t oppose network isolation, but I believe that what traditional DMZs provide in this respect is insufficient.

I understand your initial reaction to my column, but I hope you can think about the issue again and come to a more charitable assessment. Either way, I do appreciate your feedback and I hope you will continue to provide feedback about my column and other articles in Redmond magazine.
Contributing Editor and Security Advisor Columnist Joern Wettern

Featured

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus