DMZ (computing)

Last updated

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is protected behind a firewall. [1] The DMZ functions as a small, isolated network positioned between the Internet and the private network. [2]

Contents

This is not to be confused with a DMZ host, a feature present in some home routers which frequently differs greatly from an ordinary DMZ.

The name is from the term demilitarized zone , an area between states in which military operations are not permitted.

Rationale

The DMZ is seen as not belonging to either network bordering it. This metaphor applies to the computing use as the DMZ acts as a gateway to the public Internet. It is neither as secure as the internal network, nor as insecure as the public internet.

In this case, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as e-mail, Web and Domain Name System (DNS) servers. Because of the increased potential of these hosts suffering an attack, they are placed into this specific subnetwork in order to protect the rest of the network in case any of them become compromised.

Hosts in the DMZ are permitted to have only limited connectivity to specific hosts in the internal network, as the content of DMZ is not as secure as the internal network. Similarly, communication between hosts in the DMZ and to the external network is also restricted to make the DMZ more secure than the Internet and suitable for housing these special purpose services. This allows hosts in the DMZ to communicate with both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients, and another firewall would perform some level of control to protect the DMZ from the external network.

A DMZ configuration provides additional security from external attacks, but it typically has no bearing on internal attacks such as sniffing communication via a packet analyzer or spoofing such as e-mail spoofing.

It is also sometimes good practice to configure a separate classified militarized zone (CMZ), [3] a highly monitored militarized zone comprising mostly Web servers (and similar servers that interface to the external world i.e. the Internet) that are not in the DMZ but contain sensitive information about accessing servers within the LAN (like database servers). In such architecture, the DMZ usually has the application firewall and the FTP while the CMZ hosts the Web servers. (The database servers could be in the CMZ, in the LAN, or in a separate VLAN altogether.)

Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are:

Web servers that communicate with an internal database require access to a database server, which may not be publicly accessible and may contain sensitive information. The web servers can communicate with database servers either directly or through an application firewall for security reasons.

E-mail messages and particularly the user database are confidential, so they are typically stored on servers that cannot be accessed from the Internet (at least not in an insecure manner), but can be accessed from email servers that are exposed to the Internet.

The mail server inside the DMZ passes incoming mail to the secured/internal mail servers. It also handles outgoing mail.

For security, compliance with legal standards such as HIPAA, and monitoring reasons, in a business environment, some enterprises install a proxy server within the DMZ. This has the following benefits:

A reverse proxy server, like a proxy server, is an intermediary, but is used the other way around. Instead of providing a service to internal users wanting to access an external network, it provides indirect access for an external network (usually the Internet) to internal resources. For example, a back office application access, such as an email system, could be provided to external users (to read emails while outside the company) but the remote user would not have direct access to their email server (only the reverse proxy server can physically access the internal email server). This is an extra layer of security particularly recommended when internal resources need to be accessed from the outside, but it's worth noting this design still allows remote (and potentially malicious) users to talk to the internal resources with the help of the proxy. Since the proxy functions as a relay between the non-trusted network and the internal resource: it may also forward malicious traffic (e.g. application level exploits) towards the internal network; therefore the proxy's attack detection and filtering capabilities are crucial in preventing external attackers from exploiting vulnerabilities present in the internal resources that are exposed via the proxy. Usually such a reverse proxy mechanism is provided by using an application layer firewall that focuses on the specific shape and contents of the traffic rather than just controlling access to specific TCP and UDP ports (as a packet filter firewall would do), but a reverse proxy is usually not a good substitute for a well thought out DMZ design as it has to rely on continuous signature updates for updated attack vectors.

Architecture

There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single firewall, also known as the three legged model, and with dual firewalls, also known as back to back. These architectures can be expanded to create very complex architectures depending on the network requirements.

Single firewall

Diagram of a typical three-legged network model employing a DMZ using a single firewall. DMZ network diagram 1 firewall.svg
Diagram of a typical three-legged network model employing a DMZ using a single firewall.

A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network. The zones are usually marked with colors -for example, purple for LAN, green for DMZ, red for Internet (with often another color used for wireless zones).

Dual firewall

Diagram of a typical network employing DMZ using dual firewalls. DMZ network diagram 2 firewall.svg
Diagram of a typical network employing DMZ using dual firewalls.

The most secure approach, according to Colton Fralick, [4] is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" or "perimeter" [5] firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" or "internal" firewall) only allows traffic to the DMZ from the internal network.

This setup is considered [4] more secure since two devices would need to be compromised. There is even more protection if the two firewalls are provided by two different vendors, because it makes it less likely that both devices suffer from the same security vulnerabilities. For example, a security hole found to exist in one vendor's system is less likely to occur in the other one. One of the drawbacks of this architecture is that it's more costly, both to purchase, and to manage. [6] The practice of using different firewalls from different vendors is sometimes described as a component of a "defense in depth" [7] security strategy.

DMZ host

Some home routers refer to a DMZ host, which—in many cases—is actually a misnomer. A home router DMZ host is a single address (e.g., IP address) on the internal network that has all traffic sent to it which is not otherwise forwarded to other LAN hosts. By definition, this is not a true DMZ (demilitarized zone), since the router alone does not separate the host from the internal network. That is, the DMZ host is able to connect to other hosts on the internal network, whereas hosts within a real DMZ are prevented from connecting with the internal network by a firewall that separates them unless the firewall permits the connection.

A firewall may allow this if a host on the internal network first requests a connection to the host within the DMZ. The DMZ host provides none of the security advantages that a subnet provides and is often used as an easy method of forwarding all ports to another firewall / NAT device. This tactic (establishing a DMZ host) is also used with systems which do not interact properly with normal firewalling rules or NAT. This can be because no forwarding rule can be formulated ahead of time (varying TCP or UDP port numbers for example, as opposed to a fixed number or fixed range). This is also used for network protocols for which the router has no programming to handle (6in4 or GRE tunnels are prototypical examples).

See also

Related Research Articles

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack. In lay terms, some exploit is akin to a 'hack'.

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

Proxy ARP is a technique by which a proxy server on a given network answers the Address Resolution Protocol (ARP) queries for an IP address that is not on that network. The proxy is aware of the location of the traffic's destination and offers its own MAC address as the destination. The traffic directed to the proxy address is then typically routed by the proxy to the intended destination via another interface or via a tunnel.

<span class="mw-page-title-main">Network address translation</span> Protocol facilitating connection of one IP address space to another

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

<span class="mw-page-title-main">Personal firewall</span>

A personal firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy. Typically it works as an application layer firewall.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks, so named by analogy to the bastion, a military fortification. The computer generally hosts a single application or process, for example, a proxy server or load balancer, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or inside of a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers. These computers are also equipped with special networking interfaces to withstand high-bandwidth attacks through the internet.

Smoothwall is a Linux distribution designed to be used as an open source firewall. Smoothwall is configured via a web-based GUI and requires little or no knowledge of Linux to install or use.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

<span class="mw-page-title-main">Screened subnet</span>

In network security a screened subnet refers to the use of one or more logical screening routers as a firewall to define three separate subnets: an external router, that separates the external network from a perimeter network, and an internal router that separates the perimeter network from the internal network. The perimeter network, also called a border network or demilitarized zone (DMZ), is intended for hosting servers that are accessible from or have access to both the internal and external networks. The purpose of a screened subnet or DMZ is to establish a network with heightened security that is situated between an external and presumed hostile network, such as the Internet or an extranet, and an internal network.

Split tunneling is a computer networking concept which allows a user to access dissimilar security domains like a public network and a local area network or wide area network at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a LAN network interface controller (NIC), radio NIC, Wireless LAN (WLAN) NIC, and VPN client software application without the benefit of an access control.

An application delivery controller (ADC) is a computer network device in a datacenter, often part of an application delivery network (ADN), that helps perform common tasks, such as those done by web accelerators to remove load from the web servers themselves. Many also provide load balancing. ADCs are often placed in the DMZ, between the outer firewall or router and a web farm.

Dual-homed or dual-homing can refer to either an Ethernet device that has more than one network interface, for redundancy purposes, or in firewall technology, one of the firewall architectures for implementing preventive security.

In information security, a guard is a device or system for allowing computers on otherwise separate networks to communicate, subject to configured constraints. In many respects a guard is like a firewall and guards may have similar functionality to a gateway.

The term Science DMZ refers to a computer subnetwork that is structured to be secure, but without the performance limits that would otherwise result from passing data through a stateful firewall. The Science DMZ is designed to handle high volume data transfers, typical with scientific and high-performance computing, by creating a special DMZ to accommodate those transfers. It is typically deployed at or near the local network perimeter, and is optimized for a moderate number of high-speed flows, rather than for general-purpose business systems or enterprise computing.

{{Infobox OS | name = | logo = EndianFirewallCommunityLogo.jpg | logo_caption = Endian Firewall Community Logo | family = Linux | source model = Open source | latest release version = 3.3.2 | latest release date = November 13, 2020 | latest preview version = | latest preview date = | kernel_type = | ui = Web user interface | license = Various | working_state = Guest

A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks. A web shell is unique in that a web browser is used to interact with it.

References

  1. "Control System Security DMZ". Official website of The Cybersecurity and Infrastructure Security Agency (CISA) for the Dept. of Homeland Security, USA. Archived from the original on 2020-06-09. Retrieved 2020-06-09.
  2. "What is a DMZ and How does it Work?". Techtarget SearchSecurity. Retrieved 2020-06-09.
  3. Bradley Mitchell (27 August 2018). "Demilitarized Zone in Computer Networking" . Retrieved 10 December 2018.
  4. 1 2 Jacobs, Stuart (2015). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance. John Wiley & Sons. p. 296. ISBN   9781119101604.
  5. "Perimeter Firewall Design". Microsoft Security TechCenter. Microsoft Corporation. Retrieved 14 October 2013.
  6. Zeltzer, Lenny (April, 2002). "Firewall Deployment for Multitier Applications"
  7. Young, Scott (2001). "Designing a DMZ". SANS Institute. p. 2. Retrieved 11 December 2015.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.