"DMZ" is short for demilitarized zone and is a military term meaning "is an area, usually the frontier or boundary between two or more military powers (or alliances), where military activity is not permitted, usually by a peace treaty, armistice or other bilateral or multilateral agreement." In the world of computer networking and security, the term DMZ refers to a network zone that sits between the internal (trusted network) and external (untrusted network). The external or untrusted network is typically the Internet (or an extranet) and the internal or trusted network would be the corporate intranet.
What is the purpose of a DMZ?
The main purpose of a DMZ is to separate hosts that need to be accessed from an external network from the internal network. This is useful for companies that need to offer information and services to external users like Web, DNS, Mail and FTP access to the outside world. In this case, the hosts on the internal network can initiate communication with the hosts on the DMZ network and hosts from the external network can initiate communication with hosts on the DMZ network. However, in most cases, hosts from the external network cannot initiate communications with hosts on the internal network and hosts on the DMZ network cannot initiate communications with hosts on the internal network.What this means is that if a host on the Internal network needs to access a web page for example on a server that resides on the DMZ or external network the traffic is allowed out and traffic returning from these hosts is allowed back in because the session was initiated from the internal network. However, if a host on the DMZ or external networks tried to access a resource on the internal network directly it would fail or if a host on the DMZ was somehow compromised by an attacker the limited data on that host would be vulnerable but the internal network would still be safe. The DMZ would be a dead end to an attacker.
Access to the DMZ
Access to the DMZ is typically limited to a per destination address and, or per port basis. This is typically controlled by a device called a firewall. In the realm of computer networking security, a firewall is a device that prevents communications forbidden by a network security policy to take place while allowing approved traffic to flow. There are several common types of firewalls including proxy, packet filtering and stateful. Stateful firewalls are the most common and robust type of firewall in use today. By maintaining "state" tables the firewall can track allowed connections in and out of a firewall interface and allow traffic from less trusted networks to return to more trusted networks if the connection was originated by the more trusted network.To get a better understanding of how this works, take a look at the drawing of a typical single DMZ design utilizing three firewall interfaces to separate the external, DMZ and internal networks in figure 1-A below:
Typical DMZ
Based on this design the firewall can allow limited access to the DMZ from the internal and external networks by making use of connection states and security rules based on the network security policy, while still providing protection to the internal network from potential threats directed from the two less trusted networks.
There are many different security designs that can utilize a DMZ. Some designs incorporate multiple DMZs with different levels of protection. Some of those multi-DMZ designs have tiered communications between the external network to one DMZ, then from that DMZ to another DMZ and then from that DMZ to an inside resource. Although this isn't the most secure design it can sometimes be a requirement in order to provide certain services from the internal network to the external network through several tiers of secured communications. An example of this type of design might be the external network accessing a web server front end application from DMZ1, the web server on DMZ1 then accesses a back end database server on DMZ2 over a secured port and finally this database server on DMZ2 accesses the internal network domain.
Obviously anytime there is a design like this in place there is the possibility of the internal network being compromised from the external network via the hosts and paths through the firewall along the way, however, there are many methods of identifying and thwarting such an attack prior to the internal network being compromised. Hardening the DMZ servers by limiting access specific to the services they offer, stripping off any services that are not required for it to function properly, keeping the operating systems and software patched for the newest vulnerabilities and exploits and also by blending a mixture of IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) to help detect and thwart potential attacks to these servers.
Keep in mind that the key to any secure network perimeter design is both the security policy and the network topology and it is critical that they are kept in mind when trying to deploy any type of network security devices into your network.
I hope you've enjoyed this article and look for a new article on designing a secured DMZ soon.
No comments:
Post a Comment