DMZ (computing)

Last updated January 12, 2025

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is protected behind a firewall.^[1] The DMZ functions as a small, isolated network positioned between the Internet and the private network.^[2]

Rationale

The DMZ is seen as not belonging to either network bordering it. This metaphor applies to the computing use as the DMZ acts as a gateway to the public Internet. It is neither as secure as the internal network, nor as insecure as the public internet.

In this case, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as e-mail, Web and Domain Name System (DNS) servers. Because of the increased potential of these hosts suffering an attack, they are placed into this specific subnetwork in order to protect the rest of the network in case any of them become compromised.

Hosts in the DMZ are permitted to have only limited connectivity to specific hosts in the internal network, as the content of DMZ is not as secure as the internal network. Similarly, communication between hosts in the DMZ and to the external network is also restricted to make the DMZ more secure than the Internet and suitable for housing these special-purpose services. This allows hosts in the DMZ to communicate with both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients, and another firewall would perform some level of control to protect the DMZ from the external network.

A DMZ configuration provides additional security from external attacks, but it typically has no bearing on internal attacks such as sniffing communication via a packet analyzer or spoofing such as e-mail spoofing.

It is also sometimes good practice to configure a separate classified militarized zone (CMZ),^[3] a highly monitored militarized zone comprising mostly Web servers (and similar servers that interface to the external world i.e. the Internet) that are not in the DMZ but contain sensitive information about accessing servers within the LAN (like database servers). In such architecture, the DMZ usually has the application firewall and the FTP while the CMZ hosts the Web servers. (The database servers could be in the CMZ, in the LAN, or in a separate VLAN altogether.)

Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are:

Web servers
Mail servers
FTP servers
VoIP servers

Web servers that communicate with an internal database require access to a database server, which may not be publicly accessible and may contain sensitive information. The web servers can communicate with database servers either directly or through an application firewall for security reasons.

E-mail messages and particularly the user database are confidential, so they are typically stored on servers that cannot be accessed from the Internet (at least not in an insecure manner), but can be accessed from email servers that are exposed to the Internet.

The mail server inside the DMZ passes incoming mail to the secured/internal mail servers. It also handles outgoing mail.

For security, compliance with legal standards such as HIPAA, and monitoring reasons, in a business environment, some enterprises install a proxy server within the DMZ. This has the following benefits:

Obliges internal users (usually employees) to use the proxy server for Internet access.
Reduced Internet access bandwidth requirements since some web content may be cached by the proxy server.
Simplifies recording and monitoring of user activities.
Centralized web content filtering.

A reverse proxy server, like a proxy server, is an intermediary but is used the other way around. Instead of providing a service to internal users wanting to access an external network, it provides indirect access for an external network (usually the Internet) to internal resources. For example, a back office application access, such as an email system, could be provided to external users (to read emails while outside the company) but the remote user would not have direct access to their email server (only the reverse proxy server can physically access the internal email server). This is an extra layer of security particularly recommended when internal resources need to be accessed from the outside, but it's worth noting this design still allows remote (and potentially malicious) users to talk to the internal resources with the help of the proxy. Since the proxy functions as a relay between the non-trusted network and the internal resource: it may also forward malicious traffic (e.g. application level exploits) towards the internal network; therefore the proxy's attack detection and filtering capabilities are crucial in preventing external attackers from exploiting vulnerabilities present in the internal resources that are exposed via the proxy. Usually such a reverse proxy mechanism is provided by using an application layer firewall that focuses on the specific shape and contents of the traffic rather than just controlling access to specific TCP and UDP ports (as a packet filter firewall would do), but a reverse proxy is usually not a good substitute for a well thought out DMZ design as it has to rely on continuous signature updates for updated attack vectors.

Architecture

There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single firewall, also known as the three-legged model, and with dual firewalls, also known as back to back. These architectures can be expanded to create very complex architectures depending on the network requirements.

Single firewall

A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network. The zones are usually marked with colors -for example, purple for LAN, green for DMZ, red for Internet (with often another color used for wireless zones).

Dual firewall

The most secure approach, according to Colton Fralick,^[4] is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" or "perimeter"^[5] firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" or "internal" firewall) only allows traffic to the DMZ from the internal network.

This setup is considered^[4] more secure since two devices would need to be compromised. There is even more protection if the two firewalls are provided by two different vendors, because it makes it less likely that both devices suffer from the same security vulnerabilities. For example, a security hole found to exist in one vendor's system is less likely to occur in the other one. One of the drawbacks of this architecture is that it's more costly, both to purchase and to manage.^[6] The practice of using different firewalls from different vendors is sometimes described as a component of a "defense in depth"^[7] security strategy.

DMZ host

Some routers have a feature called DMZ host. This feature could designate one node (PC or other device with an IP address) as a DMZ host. The router's firewall exposes all ports on the DMZ host to the external network and hinders no inbound traffic from the outside going to the DMZ host.^[8]^[9] This is a less secure alternative to port forwarding, which only exposes a handful of ports. This feature must be avoided, except when:^[9]

The node designated as DMZ host is the downstream firewall of the actual DMZ (perhaps the router itself isn't part of a home network)
The node runs a powerful firewall capable of regulating internal security
The sheer number of ports is too great for the port-forwarding feature
Correct port forwarding rules could not be formulated in advance
The router's port forwarding is not capable of handling relevant traffic, e.g., 6in4 or GRE tunnels

In all but the first scenario above, the DMZ host feature is used outside a true DMZ configuration.

Related Research Articles

Wake-on-LAN is an Ethernet or Token Ring computer networking standard that allows a computer to be turned on or awakened from sleep mode by a network message. It is based upon AMD's Magic Packet Technology, which was co-developed by AMD and Hewlett-Packard, following its proposal as a standard in 1995. The standard saw quick adoption thereafter through IBM, Intel and others.

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was initially used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

A personal firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy. Typically it works as an application layer firewall.

<span class="mw-page-title-main">Port forwarding</span> Computer networking feature

In computer networking, port forwarding or port mapping is an application of network address translation (NAT) that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. This technique is most commonly used to make services on a host residing on a protected or masqueraded (internal) network available to hosts on the opposite side of the gateway, by remapping the destination IP address and port number of the communication to an internal host.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks, so named by analogy to the bastion, a military fortification. The computer generally hosts a single application or process, for example, a proxy server or load balancer, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or inside of a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers. These computers are also equipped with special networking interfaces to withstand high-bandwidth attacks through the internet.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. They can, for example, allow private network communications to be sent across a public network, or for one network protocol to be carried over an incompatible network, through a process called encapsulation.

Network address translation traversal is a computer networking technique of establishing and maintaining Internet Protocol connections across gateways that implement network address translation (NAT).

In network security a screened subnet refers to the use of one or more logical screening routers as a firewall to define three separate subnets: an external router, that separates the external network from a perimeter network, and an internal router that separates the perimeter network from the internal network. The perimeter network, also called a border network or demilitarized zone (DMZ), is intended for hosting servers that are accessible from or have access to both the internal and external networks. The purpose of a screened subnet or DMZ is to establish a network with heightened security that is situated between an external and presumed hostile network, such as the Internet or an extranet, and an internal network.

An application delivery controller (ADC) is a computer network device in a datacenter, often part of an application delivery network (ADN), that helps perform common tasks, such as those done by web accelerators to remove load from the web servers themselves. Many also provide load balancing. ADCs are often placed in the DMZ, between the outer firewall or router and a web farm.

Web-based SSH is the provision of Secure Shell (SSH) access through a web browser. SSH is a secure network protocol that is commonly used to remotely control servers, network devices, and other devices. With web-based SSH, users can access and manage these devices using a standard web browser, without the need to install any additional software.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on configurable security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet, or between several VLANs.

A jump server, jump host or jump box is a system on a network used to access and manage devices in a separate security zone. A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. The most common example is managing a host in a DMZ from trusted networks or computers.

In information security, a guard is a device or system for allowing computers on otherwise separate networks to communicate, subject to configured constraints. In many respects a guard is like a firewall and guards may have similar functionality to a gateway.

Port Control Protocol (PCP) is a computer networking protocol that allows hosts on IPv4 or IPv6 networks to control how the incoming IPv4 or IPv6 packets are translated and forwarded by an upstream router that performs network address translation (NAT) or packet filtering. By allowing hosts to create explicit port forwarding rules, handling of the network traffic can be easily configured to make hosts placed behind NATs or firewalls reachable from the rest of the Internet, which is a requirement for many applications.

<span class="mw-page-title-main">Endian Firewall</span> Linux distribution

Endian Firewall is an open-source router, firewall and gateway security Linux distribution developed by the South Tyrolean company Endian. The product is available as either free software, commercial software with guaranteed support services, or as a hardware appliance.

A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks. A web shell is unique in that a web browser is used to interact with it.

References

↑ "Control System Security DMZ". Official website of The Cybersecurity and Infrastructure Security Agency (CISA) for the Dept. of Homeland Security, USA. Archived from the original on 2020-06-09. Retrieved 2020-06-09.
↑ "What is a DMZ and How does it Work?". Techtarget SearchSecurity. Retrieved 2020-06-09.
↑ Bradley Mitchell (27 August 2018). "Demilitarized Zone in Computer Networking" . Retrieved 10 December 2018.
1 2 Jacobs, Stuart (2015). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance. John Wiley & Sons. p. 296. ISBN 9781119101604.
↑ "Perimeter Firewall Design". Microsoft Security TechCenter. Microsoft Corporation. 29 June 2009. Retrieved 14 October 2013.
↑ Zeltzer, Lenny (April, 2002). "Firewall Deployment for Multitier Applications"
↑ Young, Scott (2001). "Designing a DMZ". SANS Institute. p. 2. Retrieved 11 December 2015.
↑ "What is a DMZ and how to configure DMZ host". tp-link.com. TP-Link Systems Inc. 27 April 2017.
1 2 "What does the DMZ setting on routers do". MicroCenter.com. Micro Electronics. Retrieved 14 December 2024.