The subject of this post is DMZ networks. But what exactly are the DMZ networks? DMZ ((DeMilitarized Zone) is essentially a military and political term meaning a civilian area. The most famous example of a demilitarized zone right now is the demilitarized zone on the border between South Korea and North Korea:
In network security, a DMZ is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet. The DMZ adds an additional layer of network security between the Internet and an organization’s internal network so that external parties only have direct connections to devices in the DMZ rather than the entire internal network. Resources commonly placed in the DMZ include, Web servers, Mail servers, FTP servers, and VoIP servers. In fact, an external network node can access only what is exposed in the DMZ, while the rest of the organization’s network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network. A DMZ configuration provides additional security from external attacks, but it typically has no bearing on internal attacks such as sniffing communication via a packet analyzer or spoofing such as e-mail spoofing. So, a DMZ server is known as a Data Management Zone and provides secure services to local area network users for email, Web applications, ftp, and other applications that require access to the Internet.
DMZ sometimes referred to as a perimeter network or screened subnet because the DMZ is isolated using a security gateway (i.e. firewall) to filter traffic between the DMZ and the private network. The DMZ itself also has a security gateway in front of it to filter incoming traffic from the external network. We can say that DMZ is neither as secure as the internal network, nor as insecure as the public internet. Hosts in the DMZ are permitted to have only limited connectivity to specific hosts in the internal network, as the content of DMZ is not as secure as the internal network. Also, communication between hosts in the DMZ and to the external network is also restricted to make the DMZ more secure than the Internet and suitable for housing these special purpose services.
DMZ is a less secure network than the internal network. For this reason, there are added security measures that are taken for a DMZ host which include:
- Disabling unnecessary services
- Running the necessary services with the privileges reduced,
- Eliminating any unnecessary user accounts
- Making sure the DMZ has the latest security updates and patches.
Architecture of DMZ Networks
There are many different ways to design a network with a DMZ. Two of the most basic methods are:
- Single Firewall (three legged model)
- Dual Firewall (back to back model)
Single firewall model
A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ:
- The external network is formed from the ISP to the firewall on the first network interface
- The internal network is formed from the second network interface
- The DMZ is formed from the third network interface.
The firewall must be able to handle all of the traffic going to the DMZ as well as the internal network. The zones are usually marked with colors -for example, purple for LAN, green for DMZ, red for Internet (with often another color used for wireless zones). Different sets of firewall rules for monitoring traffic between the internet and the DMZ, the LAN and the DMZ, and the LAN and the internet tightly control which ports and types of traffic are allowed into the DMZ from the internet, limit connectivity to specific hosts in the internal network and prevent unrequested connections either to the internet or the internal LAN from the DMZ.
Dual firewall model
There are two firewall in this model:
- First firewall (“front-end” or “perimeter” firewall) must be configured to allow traffic destined to the DMZ only.
- Second firewall (“back-end” or “internal” firewall) only allows traffic to the DMZ from the internal network.
DMZs are intended to function as a sort of buffer zone between the public internet and the private network. Deploying the DMZ between two firewalls means that all inbound network packets are screened using a firewall or other security appliance before they arrive at the servers the organization hosts in theDMZ.
Some home routers refer to a DMZ host. This DMZ host is a single address (e.g., IP address) on the internal network that has all traffic sent to it which is not otherwise forwarded to other LAN hosts.
The DMZ host provides none of the security advantages that a subnet provides and is often used as an easy method of forwarding all ports to another firewall / NAT device. This tactic (establishing a DMZ host) is also used with systems which do not interact properly with normal firewalling rules or NAT. (Source: en.wikipedia.org)
Benefits of DMZ
- Access Control for Organizations: Organizations can provide user access to services situated outside of their network perimeters through the public internet. A DMZ network provides access to these necessary services while simultaneously introducing a level of network segmentation that increases the number of obstacles an unauthorized user must bypass before they can gain access to an organization’s private network.
- Prevent attackers from performing network reconnaissance: A DMZ prevents an attacker from being able to scope out potential targets within the network. Even if a system within the DMZ is compromised, the private network is still protected by the internal firewall separating it from the DMZ. It also makes external reconnaissance more difficult for the same reason. Although the servers in the DMZ are publicly exposed, they are backed by another layer of protection. The public face of the DMZ keeps attackers from seeing the contents of the internal private network. If attackers do manage to compromise the servers within the DMZ, they are still isolated from the private network by the DMZ’s internal barrier.
- Protection against IP spoofing: A DMZ can stall potential IP spoofers while another service on the network verifies the IP address’s legitimacy by testing whether it is reachable.
This section is abbreviated from searchsecurity.techtarget.com