Internet Security

Skip to Main Content »

Have a Question? Call Us!
Toll Free: 877.449.5102

Welcome to NTSecurity.com

You're currently on:

Importance of DMZ in Network Security

31/10/2012 Demilitarized Zone (DMZ), sometimes also referred to as Perimeter Network, is a small network of few computers, and lies between the external untrusted network (mostly the Internet) and the internal network (local area network) that contains sensitive data which cannot be exposed to unauthorized people at any cost.

Demilitarized Zone (DMZ)

Demilitarized Zone (DMZ), sometimes also referred to as Perimeter Network, is a small network of few computers, and lies between the external untrusted network (mostly the Internet) and the internal network (local area network) that contains sensitive data which cannot be exposed to unauthorized people at any cost. A DMZ consists of an external facing firewall that receives all incoming packets from the outer network, verifies them and then takes appropriate action as per the firewall rules defined by the security administrators. When a DMZ is created, it adds an extra layer of security to the internal network by filtering all incoming packets before allowing them to enter the trusted local area network.

Types of DMSs

Any normal or complex network setup may have any one of the two mostly implemented DMZs. The two types of DMZs that are most commonly used are:

  • Single Firewall DMZ – A single firewall DMZ, sometimes also referred to as three-legged model DMZ, comprises of a firewall (mostly a dedicated hardware firewall) with three network interface cards (NICs) installed in it. The first NIC is connected to the external network (Internet), the second NIC is connected to the computers placed inside the trusted local network, and the third NIC is used to form a DMZ that resides between the firewall and the internal network. The firewall is configured in such a way that the computers that reside in the DMZ can connect only to the external network but not to the computers that reside in the internal network. In other words, DMZ computers can initiate connections and can send and receive packets from external network, but they cannot do the same with internal network. However, when computers that reside in internal network request some information from the computers in DMZ, DMZ computers respond and transfer the requested information to the requesting internal hosts.
  • Dual Firewall DMZ – A dual firewall DMZ comprises of two firewalls that reside between external and internal network and the DMZ is formed between the two firewalls. Each firewall has two NICs installed in it. The first firewall, sometimes also called as a Front-End firewall, is connected to the external network and the DMZ segment. This firewall is configured to allow incoming packets from the external network only if they are destined to reach the hosts that reside in the DMZ. Front-end firewall denies all other packets that are destined to reach anywhere else in the network. On the other hand, the second firewall, sometimes also called as a Back-End firewall, is configured to allow the packet transfers that are sent from DMZ hosts to the internal network. Dual firewall DMZ architecture is considered more secured as compared to single firewall three-legged DMZ setup as it has two firewalls, and any packet that reaches the internal network is filtered through both of them.

Hosts That Can Be Placed in DMZ

Once a DMZ is successfully formed and is appropriately hardened to be secured, administrators must then consider keeping appropriate hosts in the DMZ according to the requirements. Computers that are mostly placed in a DMZ are:

  • DNS Server – Domain Name System or DNS server is placed in the DMZ to receive DNS data from the client computers that reside in the external network. DNS plays an important role in flawless and smooth communication between computers, and therefore in order to prevent it from getting poisoned with fake records, security administrators place the secondary DNS server in the DMZ. Since secondary DNS server is just the read-only copy of primary DNS server, it only receives the incoming requests and responds accordingly.
  • Front-End Exchange Servers – Most administrators divide the roles of Exchange servers and place the ones responsible for accepting requests from external clients and responding accordingly, in the DMZ. Such mailing servers are called Front-End servers. After receiving requests from external clients, front-end servers fetch requested information from the back-end Exchange servers that reside inside the trusted internal network. This front-end and back-end Exchange server architecture prevents the security of data from getting compromised by hiding sensitive data from external clients.
  • HTTP Servers – HTTP servers (web servers) are also placed in DMZ by most administrators. Placing a web server in DMZ prevents external clients from entering the internal trusted network to access a website, hence hiding the internal network from the external clients.
  • Active Directory Lightweight Directory Services – If Microsoft Windows Server 2008 is used to establish an internal local area network, a separate instance of Active Directory Lightweight Directory Services (AD LDS) can be placed in the DMZ to authenticate the credentials of external users against the database that may reside in domain controller in the internal network. With the help of a separate instance of AD LDS placed in the DMZ, administrators can prevent direct access to the main domain controller inside the trusted internal network by the external clients.

A complete and thorough planning is required to prepare a foolproof DMZ architecture. Before implementing a DMZ in a production environment, administrators must test the prepared model in lab setup to assess and eliminate any loopholes that it may have.

 4.40 out of 5 based on 25 reviews

Importance of DMZ in Network Security

31/10/2012

Demilitarized Zone (DMZ)

Demilitarized Zone (DMZ), sometimes also referred to as Perimeter Network, is a small network of few computers, and lies between the external untrusted network (mostly the Internet) and the internal network (local area network) that contains sensitive data which cannot be exposed to unauthorized people at any cost. A DMZ consists of an external facing firewall that receives all incoming packets from the outer network, verifies them and then takes appropriate action as per the firewall rules defined by the security administrators. When a DMZ is created, it adds an extra layer of security to the internal network by filtering all incoming packets before allowing them to enter the trusted local area network.

Types of DMSs

Any normal or complex network setup may have any one of the two mostly implemented DMZs. The two types of DMZs that are most commonly used are:

  • Single Firewall DMZ – A single firewall DMZ, sometimes also referred to as three-legged model DMZ, comprises of a firewall (mostly a dedicated hardware firewall) with three network interface cards (NICs) installed in it. The first NIC is connected to the external network (Internet), the second NIC is connected to the computers placed inside the trusted local network, and the third NIC is used to form a DMZ that resides between the firewall and the internal network. The firewall is configured in such a way that the computers that reside in the DMZ can connect only to the external network but not to the computers that reside in the internal network. In other words, DMZ computers can initiate connections and can send and receive packets from external network, but they cannot do the same with internal network. However, when computers that reside in internal network request some information from the computers in DMZ, DMZ computers respond and transfer the requested information to the requesting internal hosts.
  • Dual Firewall DMZ – A dual firewall DMZ comprises of two firewalls that reside between external and internal network and the DMZ is formed between the two firewalls. Each firewall has two NICs installed in it. The first firewall, sometimes also called as a Front-End firewall, is connected to the external network and the DMZ segment. This firewall is configured to allow incoming packets from the external network only if they are destined to reach the hosts that reside in the DMZ. Front-end firewall denies all other packets that are destined to reach anywhere else in the network. On the other hand, the second firewall, sometimes also called as a Back-End firewall, is configured to allow the packet transfers that are sent from DMZ hosts to the internal network. Dual firewall DMZ architecture is considered more secured as compared to single firewall three-legged DMZ setup as it has two firewalls, and any packet that reaches the internal network is filtered through both of them.

Hosts That Can Be Placed in DMZ

Once a DMZ is successfully formed and is appropriately hardened to be secured, administrators must then consider keeping appropriate hosts in the DMZ according to the requirements. Computers that are mostly placed in a DMZ are:

  • DNS Server – Domain Name System or DNS server is placed in the DMZ to receive DNS data from the client computers that reside in the external network. DNS plays an important role in flawless and smooth communication between computers, and therefore in order to prevent it from getting poisoned with fake records, security administrators place the secondary DNS server in the DMZ. Since secondary DNS server is just the read-only copy of primary DNS server, it only receives the incoming requests and responds accordingly.
  • Front-End Exchange Servers – Most administrators divide the roles of Exchange servers and place the ones responsible for accepting requests from external clients and responding accordingly, in the DMZ. Such mailing servers are called Front-End servers. After receiving requests from external clients, front-end servers fetch requested information from the back-end Exchange servers that reside inside the trusted internal network. This front-end and back-end Exchange server architecture prevents the security of data from getting compromised by hiding sensitive data from external clients.
  • HTTP Servers – HTTP servers (web servers) are also placed in DMZ by most administrators. Placing a web server in DMZ prevents external clients from entering the internal trusted network to access a website, hence hiding the internal network from the external clients.
  • Active Directory Lightweight Directory Services – If Microsoft Windows Server 2008 is used to establish an internal local area network, a separate instance of Active Directory Lightweight Directory Services (AD LDS) can be placed in the DMZ to authenticate the credentials of external users against the database that may reside in domain controller in the internal network. With the help of a separate instance of AD LDS placed in the DMZ, administrators can prevent direct access to the main domain controller inside the trusted internal network by the external clients.

A complete and thorough planning is required to prepare a foolproof DMZ architecture. Before implementing a DMZ in a production environment, administrators must test the prepared model in lab setup to assess and eliminate any loopholes that it may have.

Rating :
4.40 out of 5