DMZ (Network)
 |
How a network DMZ works |
In computer networks, a demilitarized zone (DMZ), sometimes also known as a perimeter or transmitted subnet, is a physical or logical subnet that separates a local area network (LAN) from other untrusted networks, usually the Internet. . External servers, resources, and services are located in the DMZ. Therefore, they can be accessed through the Internet, but still can not access the rest of the internal LAN. This provides an additional layer of security for the LAN as it restricts hackers’ ability to directly access internal servers and data over the Internet.
Any service provided to users on the public Internet must be placed in the DMZ network. Some of these most common services include web and proxy servers, as well as email, Domain Name System (DNS), File Transfer Protocol (FTP), and Voice over Internet Protocol (VoIP) servers.
Systems running these services in the DMZ can be accessed by hackers and cyber criminals around the world and need to withstand ongoing attacks. The term DMZ comes from the geographic buffer zone established between North and South Korea at the end of the Korean War.
DMZs Network Architecture
There are many ways to design a network with DMZ. The two primary methods are to use one or two firewalls, although most modern DMZs are designed with two firewalls. This basic approach can be extended to create complex structures, depending on network requirements.
A single firewall with at least three network interfaces can be used to create a network structure containing DMZ. The external network is configured by a public Internet connection – via an Internet service provider (ISP) connection – to the firewall on the first network interface, the internal network is formed from the second network interface and the DMZ network itself is connected to the third network interface
DMZ network scheme
How DMZ Network Works
Different combinations of firewall rules for traffic between the Internet, DMZ, LAN, DMZ, LAN, and the Internet tightly control the ports and types of traffic allowed to enter the DMZ from the Internet, limiting communication with specific hosts in an internal network and preventing unwanted connections either to Internet or internal LAN from DMZ.
The most secure approach to creating a DMZ network is the dual firewall policy, where two firewalls are deployed with a DMZ network between them. The first firewall, also called the perimeter firewall, is configured to allow external traffic destined for the DMZ only. The second or internal firewall only allows traffic from the DMZ to the internal network. This is safer because the two devices will need to be compromised before the attacker can access the internal LAN.
As a DMZ network chip, the security controls can be adjusted for each chip separately. For example, an intrusion detection and prevention system can be configured in the DMZ zone and provide web services to block all traffic except HTTPS requests to TCP port 443.
How DMZs Work
DMZs aim to act as a kind of buffer between the public Internet and the regulatory network. Deploying the DMZ between two firewalls means that all incoming network packets are scanned using a firewall or other security device before they reach the servers hosted by the organization in the DMZ. This should be enough to prevent the most threatening actors.
If a better-at-risk actor is able to access through the first firewall, they must have unauthorized access to these services before they can cause any harm, and those systems are likely to be tightened against these attacks.
Finally, assuming that a well-equipped actor is capable of infiltrating the external firewall and capturing a system hosted in the DMZ, they still have to penetrate the internal firewall before they can access sensitive enterprise resources. Although the most secure DMZ architecture can be infiltrated by a specific attacker, the attacking DMZ must sound alarms, giving security professionals enough warning to avoid a complete breach of their organization.
What DMZs are used to
DMZs have been an important part of enterprise network security almost as long as firewalls are used and, to a large extent, firewalls are deployed: to protect sensitive systems and resources.