Geopolitically, a demilitarized zone (DMZ) is an area that runs between two territories that are hostile to one another or two opposing forces’ battle lines. The term was first widely used to refer to the strip of land that cuts across the Korean peninsula and separates the North from the South.
In computer security, a DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted network, usually a larger network such as the Internet
It adds an additional layer of security to a network and acts as a buffer between a local area network (LAN) and a less secure network which is the Internet.
Due to its nature, DMZ is also known as Landing Zone.
Need for a DMZ and the benefits it offers.
The general idea is to put public faced servers in the “DMZ network” so as to separate them from the private, trusted network. A general use case is that the application server has a public face, it can be remotely rooted. If that happens, and a malicious party gains access to your server, he should be isolated in the DMZ network and not have direct access to the private hosts (or to a database server for example that would be inside the private network and not on the DMZ).
- The DMZ must be separated from the rest of the network both in terms of IP routing and security policy.
- Identify your network areas. Internal: critical systems; DMZ: systems you can afford to be “exposed”, systems you want to host services to the outside world, e.g. your SSH hosts; External: the rest of the world.
- Set up these separate areas on your network architecture.
- Firewalls/routers are then configured to allow direct connections from the outside world only to the DMZ. Correspondingly, your internal systems should be able to connect only to the DMZ and access the outside world via HTTP, application proxies, mail relays etc. there. Your firewall rules should reflect these decisions by blocking the corresponding traffic directions/IPs/ports: e.g. inward allow only ports for services operating in the DMZ etc.
- Ideally any services exchanging information between network areas (internal, DMZ, external) must be configured to be initiated FROM the most secure network segment TO the less secure areas, e.g. If you need to transfer files to “inside” hosts have the inside systems initiate the transfer (have the client role, rather than the server role).
- Internet services should be placed in the DMZ. The most common of these services are: Web, Mail, DNS, FTP, and VoIP. The systems running these services in the DMZ are reachable by hackers and cybercriminals around the world and need to be hardened to withstand constant attack.
- SSL termination & handshaking must be configured at DMZ. DMZ must contain systems to detect & isolate attacks e.g. Web Application Firewalls.
There are various ways to design a network with a DMZ. The two most common methods are with a single or dual firewalls. These architectures can be expanded to create very complex architectures depending on the network requirements.
A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. Different sets of firewall rules for traffic between the Internet and the DMZ, the LAN and the DMZ, and the LAN and the Internet tightly control which ports and types of traffic are allowed into the DMZ from the Internet, limit connectivity to specific hosts in the internal network, and prevent unrequested connections either to the Internet or the internal LAN from the DMZ.
A more secure approach is to use two firewalls to create a DMZ. The first firewall also called the perimeter firewall is configured to allow traffic destined to the DMZ only. The second or internal firewall only allows traffic from the DMZ to the internal network. This is considered more secure since two devices would need to be compromised before an attacker could access the internal LAN. As a DMZ segments a network, security controls can be tuned specifically for each segment. For example a network intrusion detection and prevention system located in a DMZ that only contains as Web server can block all traffic except HTTP and HTTPS requests on ports 80 and 443.
Authored By – Raj Bhatia
TCS Cyber Security Practice