Online transactions are an unavoidable part of today’s economy. But when corporate networks expose their infrastructure and resources to the largely unsecured public internet, they throw themselves open to the possibility of attack. One way of reducing this risk is through the establishment of safe zones known as DMZ.
What’s a DMZ?
DMZ stands for demilitarized zone – a throwback to the area created along the 39th parallel in 1953 where arms and military operations are prohibited, as a buffer between North and South Korea.
In network and computing terms, a demilitarized zone or DMZ is a subsidiary physical or logical network which contains the outward-facing services and assets of a network which are routinely exposed to generally larger and largely untrusted networks like the internet.
A DMZ effectively separates a corporate LAN or local area network into two parts: One with resources, hardware, and services that can interact directly with the internet, and a protected internal part that’s only accessible to the enterprise. Hackers and malicious intruders are thus restricted to attempting to access the organization’s externally facing assets (those within the DMZ), rather than having free rein to attack its in-house data and servers.
There are a number of ways to configure or create a network that incorporates a DMZ.
Using a Single Firewall
This method requires a single firewall having at least three network interfaces – and for this reason, this approach is also known as the “three-legged model”.
The first network interface of the three-legged DMZ model houses the external network existing between the Internet Service Provider (ISP) and an organization’s perimeter firewall. The second network interface houses the main body of a company’s LAN or internal network, while the third interface is where the DMZ is established.
This model sets the corporate firewall as its single point of failure – one that could potentially affect the entire network. So it’s essential that this resource be properly configured and well guarded. This single firewall also has to be robust enough to cope with all the traffic headed toward both the demilitarized zone and the internal network.
Using Dual Firewalls
A more secure DMZ results when two firewalls are used to construct the architecture. The first or front-facing firewall is configured to regulate traffic passing to and from the demilitarized zone exclusively. A second or back-end firewall governs traffic passing from the DMZ to the LAN or corporate network.
Through strength of numbers alone, the dual firewall method gives the greater security protection, as intruders would need to work through two discrete firewalls in order to breach the internal network. As an added defense, some enterprises use firewalls from two different manufacturers to prevent attackers from exploiting the same vulnerability which might exist across two firewalls coming from the same vendor.
Though largely confined to commercial applications, a demilitarized zone can prove useful for internet users in a domestic environment.
For home networks, a LAN typically connects devices to the internet using a broadband router. This router effectively serves as a firewall for the system, filtering external traffic through to the network according to a set of pre-configured rules. A home DMZ segments the network into two parts, by transferring selected devices from inside the firewall to the outside.
In situations where file and web servers or VoIP (Voice over Internet Protocol) communications equipment is run from a home network server rather than the cloud, a DMZ can be a valuable tool. For online gamers, there’s also the option of DMZ host support settings on broadband routers, which can isolate gaming consoles and keep them outside the firewall (router), in an effective DMZ containing one device.
Enterprise networks typically use a variant of single or dual firewall architectures to create DMZs for managing their web and other externally facing servers. With the proliferation of existing and newly discovered exploits targeting potentially vulnerable network infrastructure and services, having a DMZ in place provides an additional layer of protection for the valuable resources and data residing within the local network.
Even if a malicious intruder does manage to compromise or gain access to one or more of the public-facing assets, their logical or physical separation from the core network they support will leave those internal resources untouched. All incoming traffic and network requests must first pass through the DMZ barrier before reaching the corporate firewalls.
Physical and financial resources, operating environments, regulatory compliance issues and other factors result in a wide range of DMZ architectures. The largest corporate networks typically employ a multi-layered approach, with several levels of DMZ firewall support protecting their internal assets.
Any network resource which requires communication with an external network or the internet, and which runs as a server (physical or virtual) may be placed in a DMZ. Compatible services include web and email servers, FTP servers, and VoIP servers. An organization’s overall security policy and the anticipated impact of having a resource outside its primary network domain are governing factors in deciding which of these assets to put in the DMZ.
Some degree of fine-tuning is usually required. For example, a database of email users and their respective messages might typically be stored within the corporate LAN, while the email server itself resides in a DMZ. This server’s main function would then be to pass incoming and outgoing mail between the internal database servers and the internet.
Care must also be taken in configuring firewalls, with a set of rules to protect the DMZ from the internet, along with rules protecting the internal network from the DMZ.
Share this Post