Very much like our world where some people strive for peace and others who strive for chaos around, our cyber world 'Internet' is also a grave battle-field. So many parties, nation-states, and people are constantly engaged in cyber-warfare against each other.
The ever-persistent cyber-warfare, forced Information Security guys to hunt for some ideas and they picked one idea from 'Military' terminology, i.e., DMZ (Demilitarized Zone). The demilitarized zone is an area that sits between two areas controlled by opposing forces or nations.
In military terms, a DMZ is a place in which two competing factions agree to put conflicts aside to do meaningful work. For example, a land strip like this, separates the Korean Peninsula, keeping North and South factions at bay.
-
What is DMZ Network?
A DMZ is a perimeter network that protects your organization’s internal local-area network (LAN) from untrusted traffic.
In networking terms, it is basically a SUB-NETWORK that separates your public-facing services from your private networks & services. It exposes your external-facing (read, internet-facing) services to all untrusted networks including internet...
But DMZ adds an extra layer of security to protect your sensitive data which is stored on your internal networks, using FIREWALL to filter the traffic. Your public-facing servers sit within the DMZ, but they communicate with databases protected by firewalls.
-
How Does A DMZ Network Work?A DMZ network is a buffer between the internet and your private network (LAN).
Your DMZ is isolated by a security gateway, i.e., a Firewall. It means that you place a firewall between your DMZ network and the rest of the network (LAN) to separate them. This firewall will filter the traffic between the DMZ and your LAN. This separation is a must to really protect your LAN(s).
However, you need to protect your DMZ too... Right?
How will you protect your DMZ now?
By another Firewall, of course. Your DMZ is protected by the another Firewall that you would place between DMZ and the internet. This firewall will filter all traffic coming from external networks.
Remember, by all practical means, A DMZ network is ideally located between two firewalls.
Your DMZ Firewall will be observing all the incoming data-packets, before they make it through to your servers hosted in the DMZ. Your company should place its external-facing services and resources, as well as servers for the Domain Name System (DNS), File Transfer Protocol (FTP), Mail server, Proxy Server, Voice over Internet Protocol (VoIP), and Web servers, in the DMZ.
All of these systems must be publicly accessible, you know that. However, they all are potentially vulnerable also to being compromised (such as exploitation of web application vulnerabilities) or could be used in an attack, like the use of DNS for Distributed Denial of Service (DDoS) attack amplification, etc. A DMZ enables your organization to expose Internet-facing functionality without placing the rest of your internal systems at risk.
Since these servers and resources are isolated there in DMZ, they are given very limited access to your internal LAN to ensure that they can be accessed via the internet, but your internal LAN(s) cannot be. As a result, a DMZ approach makes it more difficult for any hacker to gain direct access to your company's data and internal servers via the internet.
This means that even if a sophisticated attacker is able to get past the first firewall, they must also access the hardened services in the DMZ before they can do damage to your business.
This also means that if an attacker somehow is able to penetrate your external firewall and compromise a system in the DMZ, they then will have to get past an internal firewall also, before they could gain any access to your sensitive corporate data. Got it?
A highly skilled bad actor may well be able to breach a secure DMZ, but the resources within it, should trigger some alarms that can provide you plenty of warning that an attack or breach is in-progress.
-
Design/Architecture of DMZ
There are many possible approach to it, but here are 2-main approaches:
1. Single Firewall
You can design your DMZ with a single firewall, but this design requires three or more network interfaces. The first is for the external network, which connects the public internet connection to the firewall. The second is for the internal network, i.e., your LAN. The third interface is for your DMZ.
This design necessitates that you create a large number of RULES in your firewall to monitor and control the traffic that would be allowed to access the DMZ and to LIMIT the connectivity to your internal network.
2. Dual firewall
I have already given you the example of this design above. In this design, you deploy two firewalls and your DMZ lies between them. The first firewall only allows external traffic to the DMZ, and the second only allows traffic that goes from the DMZ into the internal network. An attacker would have to compromise both firewalls to gain access to an organization’s LAN.
This design is generally a more secure option. That's why, the majority of modern DMZ architectures use dual firewalls approach, that can be expanded to develop more complex systems.
-
What are the extended benefits of DMZ Networks?
While a firewall is all that is required to define a DMZ’s boundaries, you can deploy additional defenses on these boundaries as well. Depending on the services implemented within the DMZ, you may wish to deploy a web application firewall (WAF), email scanning solution, or other security controls to provide targeted protection to the services deployed in the DMZ.
You can place an IDS/IPS solution within a DMZ also and can configure it to block any traffic other than Hypertext Transfer Protocol Secure (HTTPS) requests to the Transmission Control Protocol (TCP) port 443.
If you wish to comply with regulations such as HIPAA, etc., then you can install a proxy server in the DMZ. This proxy server would enable you to simplify the monitoring and recording of user activity, centralize web content filtering, and ensure employees use the system to gain access to the internet.
In case, if your organisation has built a hybrid cloud environment using say AWS, then you can still use DMZ to protect your critical data to be accessed. A DMZ is particularly useful, if you need detailed auditing of your outgoing traffic must be audited or granular traffic control, between your virtual network (in cloud) and the on-premises data center.
DMZ is surely a very good practice if you intend to protect your ICS infrastructure (OT Technology) from outside attacks. A DMZ can provide increased network segmentation that can make it harder for ransomware or other network threats to bridge the gap between your IT systems and your more vulnerable OT devices.
-
While a network DMZ can't eliminate cyber-risk, it can surely add an extra layer of security to extremely sensitive documents and records you don't want exposed. However, a DMZ is only useful if the firewalls defending its boundaries are capable of detecting potential threats and implementing strong access controls. Hence, you should deploy modern NGFWs for this purpose...
A DMZ configuration provides additional security from external attacks, but it typically has no bearing on internal attacks such as sniffing communication via a packet analyzer or spoofing via email or other means. I hope you get it right!
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
_______
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM