If not redirected, please click here https://www.thesecuritybuddy.com/data-breaches-prevention/what-is-dmz-in-computer-networking/
Servers that are accessible from the external network are most vulnerable to cyber attacks. So, the rest of the internal network of an enterprise should be protected from those servers, so that even if the security of those servers get compromised, the rest of the internal network remains protected. So, publicly accessible servers of an enterprise like web servers, mail servers, DNS etc are placed in DMZ and the rest of the internal network is protected from those servers. Usually the DMZ is separated from the rest of the internal network using firewall and the communication between the DMZ and the internal network is restricted. Also, the communications between two hosts in the DMZ as well as between the DMZ and the external network are restricted.
Any servers that provide services to users in the external network can be placed in the DMZ. Some most common examples can be:
DMZ can be implemented in mainly two different ways – using a single firewall and using dual firewall.
A single firewall with three network interfaces can be used in this method. The first interface can be connected to the external network. The second interface can be connected to the DMZ and the third interface can be connected to the internal network. In this case, as a single firewall is used, the firewall should be able to handle all traffic going to the DMZ as well as the traffic from the internal network and it can also become a single point of failure.
In this case, two different firewalls are used. The first firewall is placed between the external network and the DMZ. It can monitor all traffic between the external network and the DMZ and filter them accordingly. The second firewall can be placed between the DMZ and the internal network and monitor and filter traffic between the DMZ and the internal network. In this method, as two firewalls are used, this is more secure than the single firewall method. Also, two firewalls used should be from two different vendors, so that both of them do not contain the same security vulnerabilities and it becomes more difficult for the attackers to bypass both the firewall to access the internal network.
What is DMZ or Demilitarized Zone ?
In computer security,
DMZ or Demilitarized Zone is a physical or logical subnetwork that
separates an organization’s internal network (LAN) from an
untrusted network, usually the Internet. Usually the servers that can
be accessed from the external network, like web servers, mail
servers, DNS, FTP etc are placed in the DMZ and the DMZ is separated
from the rest of the internal network using firewalls. The name is
derived from the term demilitarized zone which is an area between
nation states where no military operations are permitted. It is also called perimeter network.
Why do we use DMZ ?
Servers that are accessible from the external network are most vulnerable to cyber attacks. So, the rest of the internal network of an enterprise should be protected from those servers, so that even if the security of those servers get compromised, the rest of the internal network remains protected. So, publicly accessible servers of an enterprise like web servers, mail servers, DNS etc are placed in DMZ and the rest of the internal network is protected from those servers. Usually the DMZ is separated from the rest of the internal network using firewall and the communication between the DMZ and the internal network is restricted. Also, the communications between two hosts in the DMZ as well as between the DMZ and the external network are restricted.
What all servers are placed in the DMZ ?
Any servers that provide services to users in the external network can be placed in the DMZ. Some most common examples can be:
-
Web servers
-
Mail servers
-
FTP servers
-
DNS
-
VoIP servers
-
Proxy servers
Web servers can
communicate with the database servers. They can do it so through Web
Application Firewall (What
is a Web Application Firewall ?) for security. Web servers can be
placed in the DMZ and the database server can be in the internal
network, depending on sensitiveness of the data in the database.
Similarly, mail
servers can be placed in the DMZ while the database containing
sensitive email messages and user data can be placed in the internal
network and not accessible to the external network.
Organizations can
also include proxy servers in the DMZ (What
are proxy servers and how do they work ?). These proxy servers
can be both Forward Proxy Servers and Reverse Proxy Servers. Forward
Proxy Servers can intercept requests originated from the internal
network of the organization requesting an external resource. They can
monitor the web contents and filter it accordingly for security
purposes. Reverse Proxy Servers on the other hand can intercept
requests coming from the external network requesting for a resource
in a server internal to the network and filter it accordingly to
reduce security threats. As these proxy servers are accessible to the
external network, placing them in the DMZ can reinforce security.
How to implement DMZ ?
DMZ can be implemented in mainly two different ways – using a single firewall and using dual firewall.
DMZ using single firewall
A single firewall with three network interfaces can be used in this method. The first interface can be connected to the external network. The second interface can be connected to the DMZ and the third interface can be connected to the internal network. In this case, as a single firewall is used, the firewall should be able to handle all traffic going to the DMZ as well as the traffic from the internal network and it can also become a single point of failure.
DMZ using dual firewall
In this case, two different firewalls are used. The first firewall is placed between the external network and the DMZ. It can monitor all traffic between the external network and the DMZ and filter them accordingly. The second firewall can be placed between the DMZ and the internal network and monitor and filter traffic between the DMZ and the internal network. In this method, as two firewalls are used, this is more secure than the single firewall method. Also, two firewalls used should be from two different vendors, so that both of them do not contain the same security vulnerabilities and it becomes more difficult for the attackers to bypass both the firewall to access the internal network.
So, this was an
introductory article on DMZ. Hope it helps.
Read More
How does Network Segmentation improve security and what is VLAN ?
How do proxy servers work ?
How do NAT and VPN work ?
What is Next Generation Firewall or NGFW ?
What is Deep Packet Inspection ?
What is Web Application Firewall ?
Read More
How does Network Segmentation improve security and what is VLAN ?
How do proxy servers work ?
How do NAT and VPN work ?
What is Next Generation Firewall or NGFW ?
What is Deep Packet Inspection ?
What is Web Application Firewall ?