Ignorance may make us think that the Internet is a safe place – but the unseen forces that rule the Internet(such as hackers and other network detection tools) always seek to gain an entry into strategic business networks and home networks. The information security industry has borrowed the concept of ‘demilitarization’ from the army to bring in the concept of ‘DMZ’ or ‘Demilitarized zone’ to secure internal networks. DMZ is a semi-secure area in the network that contains important resources.
Precursor to DMZ – ‘Firewalls’:
Before we step into the discussion of DMZ we will look at the concept of ‘firewalls’.
A ‘firewall’ is a term that most of us would have encountered in our digital lives. It is exactly as stated – a “wall of fire” that prevents unauthorized access by stray elements into our protected network resources. Firewalls are hardware based or software based. They make use of rules based on an organization’s security policies to filter incoming and outgoing traffic. Firewalls are used in our security architecture to create a DMZ and protect digital resources.
How does DMZ work?
Small and big e-commerce sites, telecommuters and all types of businesses today use the Internet for their business deals and transactions. The software architecture of most organizations involves the user interface(front end), the business logic and the back end(the databases etc) This might involve several Internet facing servers such as public e-mail servers, public web servers and external DNS(Domain name system) servers. Once these Internet facing servers are defaced, it is easy to penetrate into a company’s internal network and steal important data. It is important to place these public facing servers in a DMZ or ‘Demilitarized zone’.
The basic idea is that even if any of the internet facing servers in the DMZ is penetrated, the hackers cannot get into the internal network. DMZ is hence another layer to protect internal networks and business resources.
How do we design a DMZ?
Having seen the necessity of DMZs, let us see the popular configurations of DMZs. Some popular configurations involve single firewall DMZ or dual firewall DMZ.
Single firewall DMZ:
The single firewall DMZ is also known as “trihomed DMZ” since it has three interfaces which interacts with different zones(the trusted LAN or the internal network, the “big bad Internet” and the servers within the DMZ itself)
Separate rules have to be defined for incoming and outgoing traffic from the LAN(internal network), Internet and the DMZ itself. Configuring it correctly and accurately will protect the internal networks from vicious attacks.
Dual firewall DMZ:
The dual firewall DMZ as illustrated in the picture is much more secure than its single firewall DMZ counterpart. However, it is much more complex and more costly to implement. It has two firewalls, the back end firewall and the front end firewall. Two firewalls from different vendors are preferred such that when one firewall is compromised due to a vulnerability, the other firewall holds good protecting the internal network.
The front end firewall faces externally towards the Internet and internally towards the DMZ servers. The back end firewall on the other hand faces externally towards the DMZ server and internally towards the internal network. The traffic is segmented by each of the firewalls, making sure that none of the external traffic(from the Internet) ever gets to access the internal network directly.
We have briefly seen DMZs and how they can be used to protect internal networks. But DMZs have to be coupled with other strategies (like anti-virus software, patches) to mitigate security risks. Join me as we uncover more security aspects to protect digital assets.
Images source: Google images