What is a DMZ Network? – Check Point Software
Mục Lục
The Purpose of a DMZ
A DMZ is designed to provide a location for services that belong to an organization but are less trusted or more exposed to compromise. Examples of systems that are commonly deployed on a DMZ include:
- Web Server
- DNS Server
- Mail Server
- FTP Server
All of these systems must be publicly accessible. However, they all are also potentially vulnerable to being compromised (such as exploitation of web application vulnerabilities) or could be used in an attack, like the use of DNS for Distributed Denial of Service (DDoS) attack amplification.
A DMZ enables an organization to expose Internet-facing functionality without placing the rest of their internal systems at risk. While systems located on the DMZ may have access to internal systems and sensitive data – such as the customer data stored on databases and used by web applications – connections between these DMZ-based systems and internal systems undergo additional inspection for malicious content.
DMZ Network Architecture
A DMZ is an isolated subnetwork within an organization’s network. The DMZ is defined by two strict segmented boundaries: one between the DMZ and the untrusted outside network (i.e. the Internet) and one between the DMZ and the trusted internal network.
These boundaries between the DMZ and other networks are strictly enforced and protected. An organization will deploy firewalls at both of the DMZ’s boundaries. These next-generation firewalls (NGFWs) inspect all traffic crossing the network boundary and have the ability to detect and block malicious content before it crosses the boundary from the Internet to the DMZ or from the DMZ to the protected internal network.
These network firewalls are essential to the security of the DMZ because they have the ability to enforce access controls between the DMZ and internal systems. These access controls are essential to minimizing the potential that a compromised system will place internal systems at risk and that an attacker can move laterally from a compromised system on the DMZ throughout the network.
While a firewall is all that is required to define a DMZ’s boundaries, an organization can deploy additional defenses on these boundaries as well. Depending on the services implemented within the DMZ, an organization may wish to deploy a web application firewall (WAF), email scanning solution, or other security controls to provide targeted protection to the deployed services.
DMZ Network Benefits
Implementing a DMZ enables an organization to define multiple different levels and zones of trust within its network. This provides a number of benefits to an organization, including:
- Protection of Internet-Facing Systems: Email servers, web applications, and other Internet-facing systems need access to sensitive data, meaning that they must be protected against attack. Placing these systems on the DMZ enables them to be accessible to the public Internet while still being protected by the external firewall.
- Protection of Internal Systems: Some systems on the DMZ (such as FTP servers) pose a threat to the systems within an organization’s network. Placing these systems on a DMZ ensures that another layer of security inspection exists between these systems and the organization’s internal network.
- Limited Lateral Movement: Cyberattackers commonly exploit a system to gain a foothold on a network, then expand their access from that foothold. Since the most vulnerable and exploitable systems are located on the DMZ, it is more difficult to use them as a foothold to gain access to and exploit the internal protected network.
- Preventing Network Scanning: Attackers commonly scan organizations’ networks to identify computers and software that may be vulnerable to exploitation. Implementing a DMZ structures the network so that only systems that are intended to be Internet-facing are actually visible and scannable from the public Internet.
- Improved Access Control: Placing a firewall between the internal network and Internet-facing systems enables all connections between these systems to be inspected. This allows the organization to strictly define and enforce access controls to provide protection to the internal systems.
- Improved Network Performance: Internet-facing systems are designed to be accessed frequently by external users. Placing these systems on a DMZ reduces load on internal network infrastructure and firewalls, improving their performance.
Implementing a Secure DMZ
A DMZ provides an organization with an additional level of protection between an organization’s internal network and the public Internet. By isolating potentially vulnerable systems on a DMZ, an organization decreases risk to its internal systems.
However, a DMZ is only useful if the firewalls defending its boundaries are capable of detecting potential threats and implementing strong access controls. To learn what to look for in a NGFW, check out this buyer’s guide. You’re also welcome to check out this demo to see how Check Point NGFWs can improve your network security.