DMZ Working, Examples, Importance
A demilitarized zone (DMZ) is defined as an isolated networking space or sub-network that is cut off from the rest of the organization’s connected footprint using logical or physical blockers to facilitate access to untrusted connections in a safe space. This article explains the meaning of DMZ, how it works, and its importance in 2022.
Mục Lục
What Is a Demilitarized Zone (DMZ)?
A demilitarized zone (DMZ) is defined as an isolated networking space or sub-network that is cut off from the rest of the organization’s connected footprint using logical or physical blockers to facilitate access to untrusted connections in a safe space.
Demilitarized zones are isolated network spaces on the enterprise perimeter serving as a secure and intermediary network between an organization’s internal and non-proprietary networks. It prevents illegal traffic from entering a company’s internal local-area network. In military parlance, a demilitarized zone (DMZ) is an area where warring parties agree to lay aside their disagreements to achieve a state of peace — for instance, the narrow strip of land that divides the Korean Peninsula, separating North and South Korea.
Network components and services like the domain name system (DNS), file transfer protocol (FTP) server, web servers, proxy servers, etc., are typically placed inside a DMZ. These servers and resources are compartmentalized and have limited local area network (LAN) access to ensure one can access them via the internet rather than the internal LAN. The DMZ technique makes it challenging for hackers to gain direct internet access to an organization’s data and internal systems.
The DMZ aims to facilitate connectivity with untrusted or external networks (e.g., the public internet) while keeping the private network or LAN safe and secure. Some of the additional security benefits of a DMZ:
- Allows access control –
Businesses may provide consumers access to services beyond the confines of their network through the public internet. An increased degree of protection guarantees that only genuine traffic can enter the DMZ, making it extremely difficult for hackers to penetrate internal networks since they would have to pass through two firewalls to get access. One may also include a
proxy server in a DMZ; this centralizes internal network flow and simplifies monitoring and recording of that traffic.
- Prevents network reconnaissance
– A DMZ network enables a company to access essential internet services securely. It acts as an intermediary, preventing attackers from conducting reconnaissance activity to hunt for potential targets. If a DMZ system is hacked, the internal firewall protects the private network and makes external surveillance difficult. Consequently, compromising a single node in the network does not compromise the whole system.
- Protects from internet protocol (IP) spoofing:
Attackers may try to gain access to systems by counterfeiting an IP address and imitating a signed-in, approved device. A DMZ may recognize and prevent potential faking attacks while another service verifies the IP address’s validity.
The DMZ also allows network fragmentation to establish a safe place for traffic organization and public service access away from the enterprise’s private network.
See More: What Is Network Security? Definition, Types, and Best Practices
How Does a Demilitarized Zone (DMZ) Work?
Internet-connected devices take the brunt of most assaults and are thus the most susceptible. Companies with public servers must be accessible by individuals outside the organization and are often more vulnerable to cyberattacks. To prevent this, a business might hire a hosting firm to host its website or external servers behind a firewall; however, this would severely affect performance. The public servers are thus located on a private and secure network.
A DMZ network acts as a shield between an organization’s private network and the internet. Security doorways, including firewalls, filter activity between the DMZ and the LAN to isolate the DMZ from the LAN.
Another security gateway, which monitors traffic from external networks, protects the default DMZ server. Ideally, a DMZ is situated between two firewalls.
The setup of the DMZ firewall guarantees that incoming network packets are inspected by a firewall or some other security protocols before reaching the DMZ servers. This implies that even if an attacker breaches the very first firewall, they will need admission to the reinforced services in the DMZ to inflict significant harm to a company. Assume that an attacker breaches the outer firewall and hacks a DMZ system. In this situation, they will also need to breach an internal firewall to get access to all sensitive corporate information. A competent attacker may be able to infiltrate a protected DMZ, but the resources therein would trigger warnings of a breach taking place.
Organizations that need to comply with rules may deploy a proxy server. This enables them to streamline user monitoring, analyze, and centralize online content screening, guaranteeing that workers use the internet via protected systems. There are numerous approaches to building a network with DMZ. The majority of modern designs employ either one or two firewalls.
1. Single firewall
A DMZ with a single-firewall configuration requires three or more network interfaces. The external network is linked to the firewall through an internet service provider (ISP). The next layer is the interface for the internal private network, while the third is connected to the DMZ. The firewall should be able to control all DMZ and internal network traffic as a network barrier.
This architecture is made up of three major components.
- Firewall:
All external traffic must go via the firewall first.
- DMZ switch:
It is a device that routes traffic to a public server. The traffic is sent to an internal server through internal control.
- Servers:
Both a public and a private server must be present.
2. Dual firewall
Creating a DMZ with dual firewalls provides more security. The first firewall also referred to as the frontend firewall, is meant to accept only DMZ-bound traffic. The second firewall, sometimes termed the backend firewall, is exclusively responsible for DMZ-to-internal network traffic.
Different suppliers’ firewalls are used to increase security since they are least likely to have the same security vulnerabilities. Implementing this method over a broad network is more effective but also more costly.
Organizations can also further work on perfecting security protocols for distinct network segments. For instance, within a DMZ, an intrusion detection system (IDS) or intrusion prevention system (IPS) can be configured to restrict all traffic except hypertext transfer protocol secure (HTTPS) requests to the TCP port 443.
See More: What Is Cyber Threat? Definition, Types, Hunting, Best Practices, and Examples
Applications of DMZ
Some instances of DMZ networks may be found in:
- Cloud services
: Cloud computing services may employ hybrid security by implementing a DMZ between the virtual or cloud network and an enterprise’s on-premise network infrastructure. Organizations often use this strategy when part of their applications are run in-house, and part of them are on the virtual network. Additionally, a DMZ is used to audit outgoing traffic or control granular traffic between virtual networks and on-premises data centers.
- Home networks:
Home networks with LAN configurations and broadband routers can also benefit from a DMZ. Numerous residential routers provide DMZ options or DMZ host configurations. These settings allow users to expose only one device to the internet. Computers on home networks are assigned to run outside firewalls as a component of the DMZ host functionality. All of the other network devices remain inside the firewall.
- Industrial control system (ICS)
:
The term industrial control system (ICS) refers to a broad category of control systems that encompass distributed control systems (DCS), supervisory control and data acquisition (SCADA), programmable logic controllers (PLC), and other control system configurations. I
ndustrial equipment is integrated with IT, resulting in smarter and more efficient manufacturing environments. This, however, leads to a more significant threat surface which is why DMZ is necessary.
See More: What Is Endpoint Security? Definition, Key Components, and Best Practices
Examples of Demilitarized Zone (DMZ)
Typically, one should locate all services involving an external network in the demilitarized zone if a DMZ is implemented. Six examples of the systems deployed within a DMZ include:
1. Web servers
It’s possible for web servers communicating with internal database servers to be deployed in a DMZ. This makes internal databases more secure, as these are the repositories responsible for storing sensitive information. Web servers can connect with the internal database server directly or through application firewalls, even though the DMZ continues to provide protection.
2. FTP servers
FTP, which stands for file transfer protocol, is a method of transferring data to any computer connected to the internet anywhere in the world. It is a standard network protocol used to transfer files between a client and a server on a computer network. An FTP server can host important content on a company’s website and allow direct file engagement. As a result, it should always be isolated from crucial internal systems.
3. Email servers
A mail server, also known as a mail transfer agent, refers to a program that accepts incoming emails from local users and remote senders and transmits outgoing messages for delivery. It is common practice to store individual emails and the user database that maintains a record of login credentials on servers that cannot directly access the internet. As a result, an email server is developed or deployed within the DMZ to communicate with and access the email database while avoiding direct exposure to potentially dangerous traffic.
4. DNS servers
A DNS server stores a database of public IP addresses and their associated hostnames. It usually resolves or converts those names to IP addresses when applicable. DNS servers use specialized software and communicate with one another using dedicated protocols. Placing a DNS server within the DMZ prevents external DNS requests from gaining access to the internal network. Installing a second DNS server on the internal network can also serve as additional security.
5. Proxy servers
A proxy server is often paired with a firewall. Other computers use it to view Web pages. When another computer requests a Web page, the proxy server retrieves it and delivers it to the appropriate requesting machine. Proxy servers establish connections on behalf of clients, shielding them from direct communication with a server. They also isolate internal networks from external networks and save bandwidth by caching web content.
6. VoIP servers
Although voice over internet protocol (VoIP) servers may connect with both the internal network and the Internet, internal network access is restricted, and firewalls are configured to analyze all traffic entering the internal LAN.
See More: What Is Password Management? Definition, Components and Best Practices
Importance of DMZ in 2022
Here are eight reasons why companies should use DMZ networks:
1. It maintains ease-of-use while enforcing enterprise security policies
The use of a demilitarized zone (DMZ) offers a number of advantages to an organization, the most important of which is that it strengthens the private network’s defenses by limiting users’ access to vital servers and information. Users within an organization may still access and share content on the internet, while unauthorized users on the outside of a computer network can still get vital information from the network thanks to a technology called the demilitarized zone (DMZ). As a result of the fact that a DMZ supervises the flow of traffic coming into and going out of a private environment, it is far less likely that hackers will be able to get full access to the device. Throughout all of this, ease-of-use remains unhindered.
2
.
It aids in IoT device management
Demilitarized zones (DMZs) can help reduce security threats posed by the Internet of Things (IoT) devices and operational technology (OT) systems–which constitute a considerable threat surface. This is because both OT systems and IoT devices are vulnerable to cyber-attacks. Neither has been engineered to resist or recover from cyberattacks that pose a serious threat to critical services and information in companies.
To aid in IoT device management, one can set up a reverse proxy inside the DMZ. It lies in front of web servers and transmits client requests to those web servers.
The majority of the operational technology (OT) or industrial technology (IT) systems that are connected to the internet were not designed to resist potential dangers in the same way that information technology (IT) devices were. It is far more challenging for ransomware and other threats to penetrate communication between IT systems and their significantly more susceptible OT counterparts when a DMZ is present since it makes it possible to monitor the network more rigorously.
3. It enables secure usage of virtual machines
Containers and virtual machines (VMs) are increasingly being used by enterprises to isolate their networks or specific applications from the rest of their systems. Because of the expansion of the cloud, many organizations no longer require internal web servers. They have also shifted a significant piece of their external infrastructure to the cloud, leveraging software as a service (SaaS) applications. A DMZ Network enables cloud services to offer a hybrid security model to companies, which involves establishing the DMZ between on-premises and virtual private network applications (VPNs).
4. It protects against (DDoS) attacks
A distributed denial of service (DDoS) attack is a very prevalent attack that big corporations face. The goal of this assault is to reduce the performance of the network’s links to an elementary level or in some situations, to shut down resources entirely. This is accomplished by flooding the network with ICMP or ping packets directed at a particular device. Since ping messages are not an essential function of the network, one can set the firewalls around the DMZ to refuse or block them.
See More: What Is a Firewall? Definition, Key Components, and Best Practices
Best practices to realize the full importance of DMZ
Enterprises can maximize these benefits by following a set of DMZ best practices:
- Employ a Two-Firewall strategy:
Two firewalls result serve as a more secure barrier. The first firewall operates as the outer fence, directing traffic only to the DMZ, whereas the internal firewall enables traffic to pass from the DMZ into the internal network. Thus, an attacker would have to jump through two distinct hurdles to compromise the network.
- Adopt good vulnerability management techniques:
Many security specialists recommend running periodic vulnerability scans on DMZ systems regularly to deliver timely alerts of new vulnerabilities. Furthermore, one should consider updating DMZ systems considerably more often than protected systems to minimize the vulnerability window when a fix is delivered and implemented to DMZ servers.
- Ensure the separation of tasks:
This is considered good practice if one decides to partially or wholly virtualize the DMZ. For example, by defining roles and duties for each administrator of the VMware infrastructure environment, one can reduce errors. This strategy also limits any administrator’s control over the system. It is also encouraged that administrator or root access be used only in emergencies, as this minimizes the likelihood of unintentional or malicious misconfiguration.
- Improve data flows:
Resources outside the DMZ ideally create direct connections exclusively to the DMZ, and services within the DMZ only communicate with the outside world through proxies. However, services within the DMZ are more secure than those outside of it. Hence, better-protected services should assume the client role when seeking data from less-secure areas.
- For exposed services, use application layer defenses:
It is preferable to use a network firewall with effective application layer security rather than a port filter. The firewall should be able to examine the traffic and block any unauthorized attempts. Screening inbound web requests for traces of embedded SQL injection attacks and stopping them from ever reaching the webserver is a popular example of this.
See More: Top 10 Anti-Phishing Software in 2021
Takeaway
Demilitarized zones can be instrumental in maintaining enterprise security while allowing users to interact with external connections. Today, organizations rely on the web and public clouds for most operations, and it is almost impossible to restrict external access completely. By creating a DMZ between the core LAN and the rest of the wider internet, you can make external access more secure without interrupting productivity.
Did this article help you understand what a demilitarized zone is and how it works? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!