Tuesday, 24 March 2009

The History of the DMZ

I forget where I picked this up, it was at a presentation with SANS, but I am unable to remember which one.

The issue was the definition of a DMZ. It was stated that the term should refer to a demarcation zone (such as is used in the sth/nth Korean border).

It was also stated that a DMZ is not truly de-militarised.

I just wanted to note that this is mixing terminology. Although DMZ can refer to both a demarcation zone or a demilitarised zone, they are both valid and separate, the first example being the already supplied Korean boarder that has little demilitarisation but extensive demarcation.

The second is the older definition that is incorrectly used in network circles.

De-militarised zones are exactly that. They do actually have a historic place outdating the historically recent demarcation zone. In recent history, the Vienna convention conditions enforced following WW1 against Germany included a DMZ in the demilitarised format.

The demilitarized Rhineland zone that was created following Germany’s defeat in WW1 was a German district that the German military was forbidden to enter (thus creating a buffer for France). The prelude of WW2 (on 3/9/36) was the German army’s occupation of the Rhineland in defiance of the edict creating the demilitarised status of the area. This was a true de-militarised zone and this details what one is.

For network systems, a demarcation zone is a more accurate reflection of what a DMZ truly is. This is also reflected in other historical sources (such as WW1). The interstitial zone between the trenches on the French and Belgium front with Germany in WW1 was a DMZ. It was a demarcation region or zone known as no-man’s land.

I guess a little of the trouble we have with the term DMZ is that in networking and security, we take a combination of demarcation and demilitarisation and interchange these as needed. The real truth is that neither term is correct in network use. Early DMZ’s would have fulfilled this definition. They (say go from 1984 – 1992) defined a network segment that was sacrificial. It would host a Proxy device (pre-NAT) or other connection systems and act as a buffer.

How language changes...

1 comment:

Dai said...

Hi Craig,

I think the slide you have in mind about is part of 503 Intrusion Detection In-depth at the start of Day 5.