DMZ (computing)

From Wikipedia, the free encyclopedia

In computer security, a DMZ or Demilitarized Zone (sometimes referred to as a perimeter network) is a
physical or logical subnetwork that contains and exposes an organizations external-facing services to a larger
and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an
organizations local area network (LAN); an external attacker only has direct access to equipment in the DMZ,
rather than any other part of the network. The name is derived from the term "demilitarized zone", an area
between nation states in which military operation is not permitted.
Contents
1 Rationale
2 Services in the DMZ
3 Architecture
3.1 Single firewall
3.2 Dual firewall
4 DMZ host
5 See also
6 References
Rationale
In the military sense, a DMZ is not seen as belonging to either party bordering it. This concept applies to the
computing use of the metaphor in that a DMZ which is, for example, acting as a gateway to the public Internet,
is neither as secure as the internal network, nor as insecure as the public Internet.
In this case, the hosts most vulnerable to attack are those that provide services to users outside of the local area
network, such as e-mail, web and Domain Name System (DNS) servers. Because of the increased potential of
these hosts suffering an attack, they are placed into this specific sub-network in order to protect the rest of the
network if an intruder were to successfully compromise any of them.
Hosts in the DMZ are permitted to have only limited connectivity to specific hosts in the internal network, as the
content of DMZ is not as secure as the internal network. Similarly communication between hosts in the DMZ
and to the external network is also restricted, to make the DMZ more secure than the Internet, and suitable for
housing these special purpose services. This allows hosts in the DMZ to communicate with both the internal and
external network, while an intervening firewall controls the traffic between the DMZ servers and the internal
network clients, and another firewall would perform some level of control to protect the DMZ from the external
network.
A DMZ configuration provides security from external attacks, but it typically has no bearing on internal attacks
such as sniffing communication via a packet analyzer or spoofing such as e-mail spoofing.
DMZ (computing) - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/DMZ_(computing)
1 of 4 15-05-2014 5:32 PM
It is also sometimes good practice to configure separate Classified Militarized Zone (CMZ), a highly monitored
militarized zone comprising mostly of web servers (and similar servers that interface to the external world i.e.
the internet) that are not in the DMZ but contain sensitive information about accessing servers within LAN (like
the database servers). In such architecture, the DMZ usually has the application firewall and the FTP whilst the
CMZ hosts the web servers. (The database servers could be in the CMZ or in the LAN or in a separate VLAN
altogether.)
Services in the DMZ
Any service that is being provided to users on the external network can be placed in the DMZ. The most
common of these services are:
Web servers
Mail servers
FTP servers
VoIP servers
Web servers that communicate with an internal database require access to a database server, which may not be
publicly accessible and may contain sensitive information. The web servers can communicate with database
servers either directly or through an application firewall for security reasons.
E-mail messages and particularly the user database are confidential, so they are typically stored on servers that
cannot be accessed from the Internet (at least not in an insecure manner), but can be accessed from email
servers that are exposed to the Internet.
The mail server inside the DMZ passes incoming mail to the secured/internal mail servers. It also handles
outgoing mail.
For security, compliance with legal standards such as HIPAA, and monitoring reasons, in a business
environment, some enterprises install a proxy server within the DMZ. This has the following benefits:
Obliges internal users (usually employees) to use the proxy server for Internet access.
Reduced Internet access bandwidth requirements since some web content may be cached by the proxy
server.
Simplifies recording and monitoring of user activities.
Centralized web content filtering.
A reverse proxy server, like a proxy server, is an intermediary, but is used the other way around. Instead of
providing a service to internal users wanting to access an external network, it provides indirect access for an
external network (usually the Internet) to internal resources. For example, a back office application access, such
as an email system, could be provided to external users (to read emails while outside the company) but the
remote user would not have direct access to their email server. Only the reverse proxy server can physically
access the internal email server. This is an extra layer of security, which is particularly recommended when
internal resources need to be accessed from the outside. Usually such a reverse proxy mechanism is provided by
using an application layer firewall as they focus on the specific shape of the traffic rather than controlling access
to specific TCP and UDP ports as a packet filter firewall does.
DMZ (computing) - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/DMZ_(computing)
2 of 4 15-05-2014 5:32 PM
Diagram of a typical three-legged
network model employing a DMZ
using a single firewall.
Diagram of a typical network
employing DMZ using dual
firewalls.
Architecture
There are many different ways to design a network with a DMZ. Two of the most basic methods are with a
single firewall, also known as the three legged model, and with dual firewalls. These architectures can be
expanded to create very complex architectures depending on the network requirements.
Single firewall
A single firewall with at least 3 network interfaces can be used to create a
network architecture containing a DMZ. The external network is formed
from the ISP to the firewall on the first network interface, the internal
network is formed from the second network interface, and the DMZ is
formed from the third network interface. The firewall becomes a single
point of failure for the network and must be able to handle all of the traffic
going to the DMZ as well as the internal network. The zones are usually
marked with colors -for example, purple for LAN, green for DMZ, red for
Internet (with often another color used for wireless zones).
Dual firewall
A more secure approach is to use two firewalls to create a DMZ. The first
firewall (also called the "front-end" or "perimeter"
[1]
firewall) must be
configured to allow traffic destined to the DMZ only. The second firewall
(also called "back-end" or "internal" firewall) only allows traffic from the
DMZ to the internal network.
This setup is considered more secure since two devices would need to be
compromised. There is even more protection if the two firewalls are
provided by two different vendors, because it makes it less likely that both
devices suffer from the same security vulnerabilities. For example,
accidental misconfiguration is less likely to occur the same way across the
configuration interfaces of two different vendors, and a security hole found
to exist in one vendors system is less likely to occur in the other one. This drawback of this architecture is that
its more costly. The practice of using different firewalls from different vendors is sometimes described as a
component of a "defense in depth" security strategy.
DMZ host
Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all
ports exposed, except those ports otherwise forwarded. By definition this is not a true DMZ (Demilitarized
Zone), since it alone does not separate the host from the internal network. That is, the DMZ host is able to
connect to hosts on the internal network, whereas hosts within a real DMZ are prevented from connecting with
the internal network by a firewall that separates them, unless the firewall permits the connection. A firewall may
allow this if a host on the internal network first requests a connection to the host within the DMZ. The DMZ
host provides none of the security advantages that a subnet provides and is often used as an easy method of
forwarding all ports to another firewall / NAT device.
See also
DMZ (computing) - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/DMZ_(computing)
3 of 4 15-05-2014 5:32 PM
Bastion
Science DMZ Network Architecture DMZ for high performance computing
References
SolutionBase: Strengthen network defenses by using a DMZ (http://www.techrepublic.com/article
/solutionbase-strengthen-network-defenses-by-using-a-dmz/) by Deb Shinder at TechRepublic.
Eric Maiwald. Network Security: A Beginners Guide. Second Edition. McGraw-Hill/Osborne, 2003.
Internet Firewalls: Frequently Asked Questions, compiled by Matt Curtin, Marcus Ranum and Paul
Robertson
^ "Perimeter Firewall Design" (http://technet.microsoft.com/en-us/library/cc700828.aspx). Microsoft Security
TechCenter. Microsoft Corporation. Retrieved 14 October 2013.
1.
Retrieved from "http://en.wikipedia.org/w/index.php?title=DMZ_(computing)&oldid=606633519"
Categories: Computer network security
This page was last modified on 1 May 2014 at 14:59.
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may
apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia is a registered
trademark of the Wikimedia Foundation, Inc., a non-profit organization.
DMZ (computing) - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/DMZ_(computing)
4 of 4 15-05-2014 5:32 PM