Every corporate office has a official public website which can be accessed by every individual using public internet. Data related to this site has to be stored in servers and the location of these servers is a challenge! The challenge is servers have to be accessible by the public users but they should not disturb the internal network of the organization in other words an attacker from internet should not be able to reach the internal network through these servers. Then came the concept of DMZ. It is a zone that lies between an organization’s internal network and an external network, usually the Internet
Concept of DMZ :
In military terms, a De-Militarized zone (DMZ) is an area, usually the frontier or boundary between two or more military powers (or alliances), where military activity is not permitted, usually by peace treaty or other bilateral or multilateral agreement
In a computer network apart from the Internet and Intranet there exists De-militarized zone which has the security protection level lying in between the Intranet and the Internet. The Intranet is a High security zone where the internal host systems, servers etc., of an organization are present and which are to be secured from the attacks or threats. Internet is an outside public network which is considered as a low security zone.
Traffic flow in DMZ installed networks:
- Internal hosts can access DMZ and internet.
- External hosts can access only DMZ not the intranet.
- DMZ hosts can access internet only.
Corporates will utilize these DMZ to place their public webservers which can be accessed by any individual. All the internal servers are present in the Internal network which have high security protection and no traffic from DMZ goes into the internal network thus the attacks from external network cannot reach the internal network even though people from external network are allowed to access the companies server.
Services in the DMZ:
Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are:
- Web servers
- Mail servers
- FTP servers
- VoIP servers
Web servers that communicate with an internal database require access to a database server, which may not be publicly accessible and may contain sensitive information. The web servers can communicate with database servers either directly or through an application firewall for security reasons.
DMZ in a network:
There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single firewall and with dual firewalls.
A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the Internet to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network. The zones are usually marked with colors -for example, purple for LAN, green for DMZ, red for Internet.
A more secure approach is to use two firewalls to create a DMZ. The first firewall must be configured to allow traffic destined to the DMZ only. The second firewall allows only traffic from the DMZ to the internal network.
This setup is considered more secure since two devices would need to be compromised. There is even more protection if the two firewalls are provided by two different vendors, because it makes it less likely that both devices suffer from the same security vulnerabilities. For example, accidental misconfiguration is less likely to occur the same way across the configuration interfaces of two different vendors, and a security hole found to exist in one vendor’s system is less likely to occur in the other one. This architecture is, of course, more costly.
Courtesy : http://www.wikipedia.org