Angelic: Your boss just showed his level of computer knowledge by stating that the DMZ opens a machine to everything. His experience is that of Linksys, D-Link router/firewalls, ie: consumer grade which allows you yo place a box in the "DMZ" so that it is unfettered by the firewall rules. This isn't a DMZ since all packets will be received by the "DMZ"ed machine.

A proper DMZ is made up of, what is really, a separate network. This can be created by having two firewall devices. One controls access to the "half internal" network or DMZ and the other controls access from the "half internal" network, (or DMZ), to the trusted network. Many up to date firewalls have a built in DMZ, (WatchGuard, for example, calls the port the optional port). Rules can be set up for access from the public network to the DMZ, from the public network to the trusted network and from the DMZ to the trusted network. It creates a three network system, public, DMZ and trusted. The control can be extremely granular. Typically, in a DMZ enabled system no access is allowed directly from the public network to the trusted network. Incoming packets are routed to servers in the DMZ and no further, (web pages etc. are served from the DMZ). If packets are required to get to the trusted network then they are first received by a server in the DMZ and then forwarded to a specific server in the trusted network, email is a good example. I employ a "mail sentry" in the DMZ that uses one type of mail server which then forwards the incoming mail to a server on the trusted network that uses a different mail server. Thus, if you want to get to my trusted netwok by exploiting SMTP you need exploits for two different mail servers.

Hope that clears up the DMZ issue. Ask if you need more detail.

ianbigboy:

Any network admin that thinks it's "his network" to run a vulnerability scan on a whim is extremely ignorant.
Let me start by thanking you for calling me extremely ignorant, that was very nice. I'm a network admin, heck I'm the Manager of Information Systems. It _is_ my network to run scans against whenever I please. I perform random scans and vulnerability checks at will.

If I get pink slipped for knocking production servers offline then the pink slip is for my incompetence _not_ for the fact that I chose to do my job. There's a whole world of difference. If you don't know the potential hazards of a particular tool/vuln scanner you should be using it on test boxes first. If you don't have test boxes then it should be done at 10:30pm on a friday night upon completion of a full backup and verify so that you have the weekend to fix your screw up.