What is a DMZ

Page 1

What Is a DMZ


One of the crucial devices in any IP network is the Firewall, which is used to provide a means of access control between different segments of the network, and in particular between private networks and the Internet. The Internet is often referred to in security terms as an untrusted network, while the local network is trusted. We create security domains with different levels of trust, with a Firewall providing the entry points to each security domain.


When a business needs to provide a service to users on the Internet such as a Web Service, then a DMZ (Demilitarized Zone) is often created, to isolate the Web Server from other company IT assets. The main company network is referred to as the Inside Network, the Internet is the Outside Network and then we have a DMZ. The firewall will control access to the DMZ from Inside and Outside networks to the DMZ by means of packet filters, and other packet filters for traffic entering the Inside network from the Internet. A simple DMZ is commonly called a "screened subnet".


For additional security some DMZs will employ a Proxy Server or ALG (Application Layer Gateway) to provide a more secure means of control for the flow of data between the Inside and Outside networks. The Proxy Server or ALG will establish separate application sessions between a client on the Inside network and servers on the Outside network by acting as a Server for the clients and a Client for the Internet Servers. This ensures that when a session is initiated from the Inside, the ALG can inspect the status of the request and then set up another session to the Internet Server.


The DMZ itself will be used to host any services that a company or organisation wants to be accessed from the Internet. The additional proxy server or ALG will provide secure outside access for inside network users. Any attacks on the DMZ hosts can be contained without the user client devices being put in danger of compromise. The Firewall device will provide packet filtering points to contain Internet attacks within the DMZ. Additional security measures such as Private VLANs can also be used to ensure an attack on one DMZ server does not result in other DMZ servers being vulnerable by isolating each service within its own VLAN or subnet.


If cost is not an issue, or a higher level of security is required then multiple Firewalls can be used, one facing the Internet before the DMZ and another facing the inside network after the DMZ, with the DMZ being the security zone between the two Firewalls.


There are 3 general types of Firewall using 3 types of technology: Packet Filtering, which will limit traffic entering a network using ACLs (Access Control Lists) that operate by permitting or denying traffic based on the Layer 3 IP Address and / or Layer 4 TCP and UDP port numbers.


Stateful Packet Filters that are often referred to as application-aware packet filters. These types of packet filters maintain a state table which comprises the status of every session inbound and outbound. This filter inspects all packet flows, and if those packets have the properties that match that of the information in the state table then they are forwarded. The state table will be dynamically updated determined by any changes to the status of any sessions.


Application Level Gateways operate at the Application Layer of the network model by inspecting packets predominantly at the Transport Layer, but using information from other layers as well, including the Application layer. This type of Firewall acts as an intermediary between the Internet and Inside networks. A Proxy Server is another term sometimes given to an ALG.


High Proxies: https://www.highproxies.com/shared-proxies/


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.