Letters to Redmond

Readers Respond: August 2005

Linux in a <i>Redmond</i> book; impressive Q&As and a reader who disagreed with our Security Advisor's opinion about DMZs.

Compare, Learn, Improve
Nice to see such a good article (from a purely objective point of view) about Linux desktops on a "Redmond" site [Redmond Roundup, June 2005, "Desktop Linux: Ready for Prime Time?"].

That’s just how it should be: compare, learn and make better desktops.

A happy Debian Linux user,
Thomas van Oostveen
Amstelveen, The Netherlands

Climbing the Food Chain
The Ray Ozzie interview was excellent ["It’s Groove Baby!" July 2005]. You gave him a chance to talk, and his insights were fascinating. Way back when in the early days of Exchange, I suspected that some of the development delays were due to trying to incorporate Notes-like features in the product. And it seemed at the time there were some Ray Ozzie/Notes admirers at Microsoft, which turned out to be true!

It is great to be climbing up the food chain on interviews. The fact that Redmond magazine gives these folks some air time and not just a few chopped up sound bites might encourage others (like the rest of the CTO team) to spend some time with you. If I ran Microsoft’s PR Department, I would always be trying to put more of a human face on the company, and showcase some of the other bright folks they have on the payroll.

Also, the Art Department gets points—the layout, cover shot and use of green and the type treatment—the issue looks fabulous!
Erik Westgard
St. Paul, Minn.

DMZ Shortcomings
In reading Dr. Wettern’s article [July 2005 Security Advisor, "Dump Your DMZ"], I found that his criticism of DMZs was flawed for many reasons. The biggest criticism that stood out as I read the article was that numerous times he blamed the DMZ for issues that related more to server placement and configuration (network-design issues) than the shortcomings of the DMZ. Also, any time you give public access to some part of your network, there are going to be risks. A DMZ helps mitigate, but does not completely negate, these risks. There is only so much a DMZ can do if you design your network poorly.

As someone with a Security+ certification, he should know that a firewall and/or DMZ should not, by itself, be the sole means of securing your network. But, condemning the concept of a DMZ as a valuable security component is absolutely ludicrous.
Jon Banks, MCSE, Security+
Network Security Engineer
Marietta, GA

Thank you for taking the time to reply to my article. I realized that my column would be controversial, and it is certainly turning out that way.

The reason I question the idea of a DMZ is that I regularly review network designs and I see DMZs being used in ways that don’t increase security. They often provide a false sense of security and represent wide open doors into a corporate network. I see these DMZ design problems in small companies, as well as in large, multinational enterprises.

In my opinion, there are only a few protocols that lend themselves to using a DMZ. The prime example is an SMTP relay server, but SMTP is a protocol that has changed little since DMZs were invented. One of my solutions—to what I consider the main shortcomings of DMZs—is better content inspection (which could be done in conjunction with a DMZ). The other actually takes the original idea of a DMZ one step further to provide enhanced traffic control. By using IPsec mutual authentication between hosts (but not necessarily for encryption), a computer can actually confirm that network traffic really originates from the host from which it claims to come. And, because you can use IPsec to block all traffic that doesn’t originate from specific trusted hosts and uses allowed ports, you can create more effective network isolation than what is provided by a traditional DMZ. In other words, I certainly don’t oppose network isolation, but I believe that what traditional DMZs provide in this respect is insufficient.

I understand your initial reaction to my column, but I hope you can think about the issue again and come to a more charitable assessment. Either way, I do appreciate your feedback and I hope you will continue to provide feedback about my column and other articles in Redmond magazine.
Contributing Editor and Security Advisor Columnist Joern Wettern


comments powered by Disqus

Subscribe on YouTube