What is a DMZ (Demilitarized Zone) Network? – sunnyvalley.io
What is a DMZ (Demilitarized Zone) Network?
The term DMZ
which stands for the demilitarized zone is derived from a military term. The nations at war with each other may set up a demilitarized zone usually through treaties. No country is permitted to have military forces in this stretch of land. The most well-known one is the Korean DMZ
currently taking place between North and South Korea. The purpose of the Korean DMZ is to protect both countries from strikes. If one of the countries were to attack another, they would have to pass through this area of land, giving the defendant only a few minutes to warn of an impending attack. This also allows both countries to start preparing their defense systems. Because no one is permitted/authorized to be in that parcel of land without a serious approval process, it enables the differentiation of threats from non-threats.
In network security, the DMZ, also called a perimeter network, is a small, isolated network that sits between the untrusted external network such as the Internet and internal networks(LAN).
The main purpose of the DMZ is to add an additional layer of security to an organization’s private network(LAN) and to grant external, untrusted sources restricted access to publicly available information while protecting the internal networks from outside attacks.
It also safeguards an organization’s external-facing services and resources, such as DNS, VoIP, email, FTP, proxy, and web, against an untrusted network, most commonly the Internet. Though these DMZ servers are accessible from the untrusted and trusted zones, they are isolated and they can not access the trusted internal zone. As a result, a DMZ strategy makes it more difficult for a hacker to gain direct access to an organization’s sensitive data and internal servers.
Today, many organizations are implementing DMZ networks to improve their IT security and reduce the risk of cyberattacks. In this article, various aspects of the DMZ network is covered briefly, such as:
-
How does a DMZ Network Work?
-
Why DMZ Networks are Important?
-
What is DMZ Used for?
-
What are DMZ Settings?
-
Benefits & Drawbacks of DMZ Network
-
Who Uses a Network DMZ?
-
Is DMZ safe?
-
What is the difference between DMZ and firewall?
-
What is the Advantage of Setting up a DMZ with Two Firewalls?
-
What is the DMZ IP Address?
-
What is my DMZ Host IP Address?
-
What is DMZ Mode?
-
What is the DMZ Network?
-
What is DMZ Host in Router?
-
What is DMZ Port?
-
What is DMZ in Firewall?
-
What is in Fortigate Firewall?
Businesses that provide a service to their customers via the Internet must make their applications or web servers accessible from the Internet. This would expose their entire internal network and critical data to cyberattacks. To be safe from cyber threats public servers are hosted on a separate isolated network, the DMZ network.
A DMZ network acts as a barrier between the Internet and a company’s internal network. A security gateway, such as an external firewall, protects the DMZ servers by filtering traffic from the Internet. Another security gateway separates the DMZ from the LAN by filtering traffic between the LAN and the DMZ.
Both the internal and external networks may be allowed to connect to the DMZ. On the other hand, hosts in the DMZ may not connect to the internal network or have only limited connectivity to specific hosts in the internal network and only connections from the DMZ to the external network are permitted. Or, connections between the DMZ systems and internal systems are screened for malicious content. So that, the hosts in DMZ can provide services to the external network, and the internal network is protected in the event that an intruder compromises a DMZ host. The DMZ is a dead-end for cybercriminals on the external network who want to connect to the internal network illegally.
Since the introduction of firewalls, DMZ networks have played a key role in securing enterprise networks. They keep internal networks separate from systems that could be targeted by attackers, thereby protecting sensitive data, systems, and resources. Furthermore, DMZ networks allow companies to control and limit access to critical systems.
Besides that, demilitarized zones (DMZs) are beneficial in mitigating the security risks posed by Internet-of-Things (IoT) devices and operational technology (OT) systems which create a large threat surface. This is because both OT systems and IoT devices are vulnerable to cyber threats. Neither of them has been designed to withstand or recover from cyberattacks posing a significant risk to organizations’ crucial services and information. A demilitarized zone (DMZ) offers network segmentation to reduce the risk of a cyber threat that could potentially harm industrial infrastructure.
Nowadays, virtual machines (VMs) and containers are more and more being used by companies to separate specific applications from the rest of their systems or their networks. Because of the rapid expansion of the cloud, many companies no longer require internal web servers. They have also moved a large portion of their external infrastructure to the cloud by utilizing Software-as-a-Service (SaaS) applications. Cloud service providers enable a company that runs applications on-premises and via virtual private networks (VPNs) to use a hybrid approach, with the DMZ sitting between the two. This approach is also useful for auditing outgoing traffic or controlling traffic between an on-premises data center and virtual networks.
The DMZ can contain any service that is provided to users on the external network. Any organization that has critical information on an organization’s server and needs to provide public internet access should deploy the DMZ. In fact, some businesses are required by law to do so. The services that are commonly provided in the DMZ network are listed below:
- DNS Servers: As a best practice, organizations should use separate DNS servers for external and internal queries. While the Internal DNS server is placed on the internal network, externally accessible DNS servers are placed in the DMZ network, which is secure but also accessible from the public network. Locating a DNS server within the DMZ prevents external DNS requests from gaining access to the internal network. Installing a second DNS server on the internal network can provide additional security. If a company has only one DNS server for both internal and external DNS queries, it should be located in the DMZ and the internal users should access them from the internal network.
Figure 1. DMZ deployment example
-
VoIP Servers: VoIP servers could communicate with both the internal network and the Internet, and yet internal side access is restricted and firewalls are set up to scan all traffic entering the internal LAN.
-
FTP Servers: Some companies need to provide an FTP service for their customers via the internet. But, this service carries significant security risks. Therefore, they allow it within the DMZ while keeping the server behind the firewall(s).
-
Mail Servers: Since e-mail contents and the user’s information are private, they are generally stored on servers that cannot be accessed via the Internet. However, they can be accessed from email servers that are exposed to the Internet. The mail server inside the DMZ routes incoming mail to the internal mail server and also handles outgoing mail.
-
Proxy Servers: Some organizations install a proxy server within the DMZ for security, compliance with legal standards such as HIPAA, and monitoring purposes. The benefits of installing a Proxy server in DMZ are listed below:
- Simplifies user activity recording and monitoring.
- Internal users (typically employees) are required to use the proxy server for Internet access.
- Caching capability of the proxy service reduces the Internet access bandwidth requirements.
- Filtering of web content at a centralized level.
- Web Servers: Web servers that require access to an internal database server that contains critical data and can not be publicly accessible are deployed in the DMZ network. And these web servers can communicate with database servers through a firewall for security reasons.
The firewall is a critical component for a DMZ setup. Firewalls are useful for filtering traffic between different zones, allowing or denying traffic based on a set of rules that examine packet addresses, ports, header fields, and even message content.
A DMZ can be designed using a single firewall or dual and multiple firewalls. The majority of current DMZ architectures employ dual firewalls, which can be expanded to create more complicated network infrastructures.
- 1. Single firewall: To deploy a DMZ on a single firewall, at least three network interfaces must exist on the firewall. One of the network interfaces is used for the external network(Internet) connection. The second interface is linked to the DMZ and the third is. Various rules monitor and control traffic allowed to access the DMZ, as well as limited connectivity to the internal network. The rest of the interfaces are configured for the internal private network.
Figure 2. Single Firewall DMZ
This configuration consists of three key components.
- Firewall: All external traffic must first pass through the firewall.
- A DMZ switch: It directs traffic to a public server. Traffic is routed through an internal switch to an internal server.
- Servers: There must be both a public and a private server.
- 2. Dual firewall: Dual firewall DMZ design provides more security than the single firewall DMZ design. In this security approach, while the first firewall is deployed between the external network and the DMZ network only allowing network packets from the outside world into the DMZ, the second firewall is placed between the DMZ and the internal network. The second one only allows traffic from the DMZ into the internal network. To gain access to an organization’s private LAN, a hacker would have to compromise both firewalls.
Figure 3. Dual Firewall DMZ
This configuration consists of three key components.
- Firewalls: Public traffic only passes through an external firewall. However, in order to access more critical resources, users must pass through an internal firewall.
- DMZ: This zone contains public resources that can be accessed after passing through the external firewall.
- LAN: Private resources are available on the LAN, but they can only be accessed after passing through the internal firewall.
Security measures for different network segments can also be fine-tuned by companies. For example, network security teams may deploy an intrusion prevention system (IPS) or an intrusion detection system (IDS) within the DMZ network to deny all traffic to TCP port 443 except Hypertext Transfer Protocol Secure (HTTPS) requests. As another example, depending on the services deployed in the DMZ network, a company may want to install an email scanning solution, a web application firewall (WAF), or other security controls to provide specific protection to the deployed services.
The main advantage of deploying a DMZ network is that it adds an extra layer of security to an internal network by limiting access to servers and sensitive data. A DMZ allows internet users to access specific IT services while acting as a barrier between them and the organization’s internal network. A correctly implemented DMZ network provides organizations with additional security by detecting and mitigating security flaws before they reach the internal network, where important assets are kept.
The benefits of the DMZ network are as follows:
-
Access Control: Through the public internet, companies can provide users with access to services that are not within the boundaries of their network. The DMZ provides accessibility while also implementing network segmentation to make it more difficult for an unauthorized party to gain access to the confidential intranet. A proxy server may also be included in a DMZ, which centralizes URL filtering and simplifies monitoring and recording of that traffic.
-
Internet Protocol (IP) Spoofing Prevention: Hackers use IP address spoofing techniques and imitate a trusted device that is signed in to a network for gaining access to private networks. A DMZ can detect and thwart such spoofing attempts while another service verifies the IP address’s legitimacy. The DMZ also provides network segmentation, allowing traffic to be organized and public services to be accessed outside of the internal private network.
-
Defend against network reconnaissance: A DMZ stops attackers from performing reconnaissance work in sourcing possible targets by forming a protective layer between the internet and a private network. Servers in the DMZ are exposed to the public but are protected by a firewall that hinders an intruder from seeing inside the internal network. Even if a DMZ system is compromised, the internal firewall protects the private network by separating it from the DMZ, making external reconnaissance hard.
A data breach takes an average of 280 days to detect and repair. By setting up a DMZ server with plenty of alerts and administrators will be notified more quickly when there is a breach attempt. -
Higher Network Performance: Internet-facing systems are intended to be frequently accessed by internet users. Deploying these systems in a DMZ reduces the traffic load on internal network infrastructure and firewalls, resulting in improved performance.
The use of a DMZ includes downsides, as do all positive things. It has been argued that in order to attain total security, usability must be eliminated. The more secure anything is, the more difficult or unpleasant it will be to use, and a good DMZ is no exception. The disadvantages and weaknesses of DMZ architecture are summarized below.
DMZs may affect the network in a manner that is often neglected when the design is planned and deployed. These may severely impair network speed and network management, particularly for users on the internal network, by requiring them to traverse more hops before gaining access to the external/public network. When isolated in a DMZ, access to public servers is likewise significantly limited. Your users will not be able to access a system in the DMZ easily, thus you will need to rearrange your network access rules and maybe acquire another machine to handle the private services.
Every network security mechanism, device, and design is flawed and will not be able to thwart every potential attempt by an attacker to breach the network. Especially in the current world, when attackers have access to a variety of tools and tactics to achieve their objectives. A DMZ is not flawless, nor is it the be-all and end-all of a company’s network security posture. The DMZ is intended to be a component of a complete network security posture including multiple other aspects to ensure the network’s maximum security.
Packet sniffing is an example of how a DMZ fails to safeguard the network. Even though packet sniffing is not always harmful, it is undesirable on a network. If an attacker is able to utilize a packet sniffer and record network packets, they will have access to a wealth of information about the network and even the communication devices themselves. This is particularly perilous if no encryption mechanism is employed on the packets being sent. If there is no encryption mechanism utilized during the transfer of data from one point to another and an attacker catches these packets, account credentials, personal data, etc. may be collected and read as plain text.
A DMZ also lacks another crucial aspect. Once a network has been breached, a DMZ by itself is powerless (aside from keeping it quarantined in the DMZ). If a hostile entity such as a virus, Trojan horse, or worm acquires access to the resources contained inside the DMZ, the DMZ will be unable to isolate or eradicate the threat. Although this is one of the fundamental reasons for establishing a DMZ (so that this region is infected and not the internal network), the resources held in this area are still useful. For an enterprise, these resources are customer-facing, and any interruption they incur might result in lost revenue or business. The firewalls that are generally built around the DMZ cannot identify these sorts of hostile entities and hence cannot address them appropriately. For this reason, it is crucial to implement security technologies inside the DMZ itself to assist in identifying and eliminating such vulnerabilities. Honeypots and intrusion detection and prevention systems(IDS/IPS) are examples of these additional security measures that should be implemented inside the DMZ. These extra tools may not only aid in protecting the network and preventing cyber attacks from occurring or being successful, but they can also be instructive for the network security team in terms of the most typical techniques used against the network. This will assist the team in better preparing for and responding to possible future assaults.
Organizations that must meet certain standards such as the Health Insurance Portability and Accountability Act (HIPAA) will occasionally deploy a DMZ network. They must create systems to safeguard critical data and report any breaches. Building a DMZ network allows them to minimize cyber risks while also displaying their commitment to privacy. They may also install a proxy server in the DMZ. This allows them to centralize web content filtering and simplify client monitoring and recording.
No. The DMZ network itself is not safe. Because systems in the DMZ network are accessible from untrusted external zones such as the Internet. However, DMZ provides the safety of systems located on internal private networks by isolating them from external networks.
A DMZ differs from a firewall in that a firewall is a network security system (e.g. device or software) that monitors and restricts incoming and outgoing network traffic based on defined risk.
A definitive objective of a DMZ is to enable access to assets from untrusted systems while keeping the private system verified. Assets usually put in the DMZ comprise Mail servers, FTP servers, and VoIP servers.
An interface on a routing firewall is similar to the interfaces found on the protected side of the firewall. Traffic between the DMZ and other interfaces on the protected side of the firewall is still routed through the firewall and can be protected by firewall policies.
The DMZ can be deployed either using a single or dual firewall. It is best to place the DMZ between two firewalls for hardened security. The advantage of setting up a DMZ with two firewalls will be explained shortly below.
The external firewall configuration ensures that incoming network packets are examined by a firewall before they reach the servers hosted in the DMZ. Therefore even if a hacker successfully compromises the first firewall, he must first gain access to the DMZ’s hardened services before causing damage to a company.
If a hacker is successful in breaching the external firewall and compromising a system in the DMZ, they must then compromise the internal firewall before gaining access to critical corporate resources. A skilled and experienced malicious hacker may be able to breach a secure DMZ, but the tools within it should sound alarms to provide ample warning that a breach is taking place.
It is possible to provide even more security by using multiple firewalls from different vendors which is a part of a “defense in depth” security strategy. Because this reduces the likelihood that both devices are vulnerable to the same security flaws. A security hole discovered in one vendor’s system, for example, is less likely to occur in the other. One disadvantage of this approach is that it is more expensive to purchase and difficult to manage.
The DMZ IP address is a private IP address used for a device located in DMZ networks such as a server, firewall, switch, or router. This static IP address may be manually configured on the device network settings or assigned by the reservation feature of the DHCP server.
The servers connected to the DMZ network can have both public and private IP addresses. By performing NAT public IP addresses are mapped to the private IP addresses. While external users connect the server using its public IP address, internal users connect the server using its private IP address.
In a home network, if the DMZ feature is enabled on the router you may set or view your DMZ your IP address on the configuration of the router. Depending on the router, the DMZ IP address may be configured under the different settings menu, such as Advanced, Security.
For example,
-
in a Linksys wifi router DMZ Host IP address can be set under Applications & Gaming > DMZ
-
In a Huawei wifi router DMZ Host IP address can be set under
More Functions
>Security Settings
>DMZ Host
-
In an Xfinity wifi router DMZ Host IP address can be set under
Gateway
>Advanced
>DMZ
-
In a D-Link wifi router DMZ Host IP address can be set under
Features
->Firewall
-
In a Netgear wifi router DMZ Host IP address can be set under
WAN Setup
>Advanced
->Default DMZ Server
-
In TP-Link wifi router DMZ Host IP address can be set under
Forwarding
->DMZ
DMZ mode is a useful feature supported by some gaming consoles such as XBOX One, XBOX 360, PS3/PS4, or Nintendo to provide better performance when Internet connectivity issues occur for home users. However, the DMZ mode has security constraints. While consoles are usually safe to put in the DMZ, your router’s security measures will not protect them. It is not recommended to use DMZ mode for desktops.
The DMZ network is a subnetwork between the public network/Internet and the private network. In other words, it is the network that connects the insecure and secure zones. The aim of the DMZ network is to enable access to some hosts/systems from an external untrusted network (i.e. internet), while securing the private network behind a firewall. DMZ servers are generally used to externalize resources to a public network residing in the DMZ network. services that are accessible from the internet are put inside the DMZ network while sensitive data are kept out of the DMZ.
A DMZ can be configured on a home network router. The router is transformed into a LAN, to which desktops, printers, and other devices connect. Some home routers also include a DMZ host feature, which allows a device to keep operating outside the firewall and serve as the DMZ. All other devices in the home network are contained within the firewall. A DMZ host is a host on the internal network that has all UDP and TCP ports open and exposed, except those ports otherwise forwarded. The issue is that this particular computer can still communicate with the rest of the internal home network. This means that if the “DMZ host” has been compromised and infected with malware, the rest of the devices on the home network may be affected.
A gaming console is frequently an excellent choice for use as a DMZ host because it contains less sensitive data than a laptop or PC. Also, it guarantees that the firewall does not interfere with gaming performance.
DMZ port is physical Ethernet port(10/100 Mbps or 1Gbps) on networking equipments such as router, switch or firewall, dedicated for DMZ. This port is normally used for publicly accessible servers.
For DMZ network connection a virtual or logical interface is created and configured on the firewall. Also, some firewall vendors provide one or more physical interfaces dedicated to the DMZ network on their appliances.
Figure 4. DMZ in Firewall
As mentioned above, the traffic may not be initiated from this network to the internal network. Servers that host publicly available applications or services such as web or FTP are located in this isolated area. A firewall controls all incoming and outgoing traffic through the DMZ.
Fortinet provides one or more physical interfaces on FortiGate appliances dedicated to the DMZ network allowing external users with secure access to protect this internal network while denying them access to other parts of the network.
Figure 5. Physical ports on FortiGate 140D-POE