DMZ (computing)

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical
subnetwork that contains and exposes an organization's external-facing services to an untrusted network, usually a larger network
such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an
external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled. The
DMZ functions as a small, isolated network positioned between the Internet and the private network.

The name is derived from the term "demilitarized zone", an area between nation states in which military operation is not permitted.

Contents
Rationale
Architecture
Single firewall
Dual firewall
DMZ host
See also
References

Rationale
In the military sense, a DMZ is not seen as belonging to either party bordering it. This concept applies to the computing use of the
metaphor in that a DMZ which is, for example, acting as a gateway to the public Internet, is neither as secure as the internal network,
nor as insecure as the public internet.

In this case, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as e-
mail, Web and Domain Name System (DNS) servers. Because of the increased potential of these hosts suffering an attack, they are
placed into this specific subnetwork in order to protect the rest of the network should any of them become compromised.

Hosts in the DMZ are permitted to have only limited connectivity to specific hosts in the internal network, as the content of DMZ is
not as secure as the internal network. Similarly communication between hosts in the DMZ and to the external network is also
restricted, to make the DMZ more secure than the Internet, and suitable for housing these special purpose services. This allows hosts
in the DMZ to communicate with both the internal and external network, while an intervening firewall controls the traffic between
the DMZ servers and the internal network clients, and another firewall would perform some level of control to protect the DMZ from
the external network.

A DMZ configuration provides security from external attacks, but it typically has no bearing on internal attacks such as sniffing
communication via a packet analyzer or spoofing such as e-mail spoofing.

It is also sometimes good practice to configure a separate Classified Militarized Zone (CMZ), a highly monitored militarized zone
comprising mostly Web servers (and similar servers that interface to the external world i.e. the Internet) that are not in the DMZ but
contain sensitive information about accessing servers within LAN (like database servers). In such architecture, the DMZ usually has
the application firewall and the FTP while the CMZ hosts the Web servers. (The database servers could be in the CMZ, in the LAN,
or in a separate VLAN altogether.)
Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services
are:

Web servers
Mail servers
FTP servers
VoIP servers
Web servers that communicate with an internal database require access to a database server, which may not be publicly accessible
and may contain sensitive information. The web servers can communicate with database servers either directly or through an
application firewall for security reasons.

E-mail messages and particularly the user database are confidential, so they are typically stored on servers that cannot be accessed
from the Internet (at least not in an insecure manner), but can be accessed from email servers that are exposed to the Internet.

The mail server inside the DMZ passes incoming mail to the secured/internal mail servers. It also handles outgoing mail.

For security, compliance with legal standards such as HIPAA, and monitoring reasons, in a business environment, some enterprises
install a proxy server within the DMZ. This has the following benefits:

Obliges internal users (usually employees) to use the proxy server for Internet access.
Reduced Internet access bandwidth requirements since some web content may be cached by the proxy server
.
Simplifies recording and monitoring of user activities.
Centralized web content filtering.
A reverse proxy server, like a proxy server, is an intermediary, but is used the other way around. Instead of providing a service to
internal users wanting to access an external network, it provides indirect access for an external network (usually the Internet) to
internal resources. For example, a back office application access, such as an email system, could be provided to external users (to
read emails while outside the company) but the remote user would not have direct access to their email server. Only the reverse proxy
server can physically access the internal email server. This is an extra layer of security, which is particularly recommended when
internal resources need to be accessed from the outside. Usually such a reverse proxy mechanism is provided by using an application
layer firewall as they focus on the specific shape of the traffic rather than controlling access to specific TCP and UDP ports as a
packet filter firewall does.

Architecture
There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single firewall, also
known as the three legged model, and with dual firewalls. These architectures can be expanded to create very complex architectures
depending on the network requirements.

Single firewall
A single firewall with at least 3 network interfaces can be used to create a network
architecture containing a DMZ. The external network is formed from the ISP to the
firewall on the first network interface, the internal network is formed from the second
network interface, and the DMZ is formed from the third network interface. The firewall
becomes a single point of failure for the network and must be able to handle all of the
traffic going to the DMZ as well as the internal network. The zones are usually marked
with colors -for example, purple for LAN, green for DMZ, red for Internet (with often
Diagram of a typical three-legged
another color used for wireless zones).
network model employing a DMZ
using a single firewall.

Dual firewall
The most secure approach, according to Colton Fralick,[1] is to use two firewalls to
create a DMZ. The first firewall (also called the "front-end" or "perimeter"[2] firewall)
must be configured to allow traffic destined to the DMZ only. The second firewall (also
called "back-end" or "internal" firewall) only allows traf
fic from the DMZ to the internal
network.

This setup is considered[1] more secure since two devices would need to be
compromised. There is even more protection if the two firewalls are provided by two Diagram of a typical network
different vendors, because it makes it less likely that both devices suffer from the same employing DMZ using dual
security vulnerabilities. For example, accidental misconfiguration is less likely to occur firewalls.
the same way across the configuration interfaces of two different vendors, and a security
hole found to exist in one vendor's system is less likely to occur in the other one. One of
the drawbacks of this architecture is that it's more costly, both to purchase, and to manage.[3] The practice of using different firewalls
from different vendors is sometimes described asa component of a "defense in depth"[4] security strategy.

DMZ host
Some home routers refer to a DMZ host. A home router DMZ host is a single address (e.g., IP address) on the internal network that
has all traffic sent to it which is not otherwise forwarded to other LAN hosts. By definition this is not a true DMZ (demilitarized
zone), since it alone does not separate the host from the internal network. That is, the DMZ host is able to connect to hosts on the
internal network, whereas hosts within a real DMZ are prevented from connecting with the internal network by a firewall that
separates them, unless the firewall permits the connection.

A firewall may allow this if a host on the internal network first requests a connection to the host within the DMZ. The DMZ host
provides none of the security advantages that asubnet provides and is often used as an easy method of forwarding all ports to another
firewall / NAT device. This tactic (establishing a DMZ host) is also used with systems which do not interact properly with normal
firewalling rules or NAT. This can be because no forwarding rule can be formulated ahead of time (varying TCP or UDP port
numbers for example, as opposed to a fixed number or fixed range). This is also used for network protocols for which the router has
no programming to handle (6in4 or GRE tunnels are prototypical examples).

See also
Bastion
Science DMZ Network ArchitectureDMZ for high performance computing

References
SolutionBase: Strengthen network defenses by using a DMZby Deb Shinder at TechRepublic.
Eric Maiwald. Network Security: A Beginner's Guide. Second Edition. McGraw-Hill/Osborne, 2003.
Internet Firewalls: Frequently Asked Questions, compiled by Matt Curtin, Marcus Ranum and Paul Robertson

1. Jacobs, Stuart (2015).Engineering Information Security: The Application of Systems Engineering Concepts to
Achieve Information Assurance(https://books.google.com/books?id=2eQ2yxT A3tUC&pg=PA296&dq=dual+firewall+
dmz&hl=en&sa=X&ved=0ahUKEwjP6YuczNPJAhXF6iYKHZ6jBq8Q6AEIPTAC#v=onepage&q=dual%20firewall%20
dmz&f=false). John Wiley & Sons. p. 563.ISBN 9781119101604.
2. "Perimeter Firewall Design"(https://technet.microsoft.com/en-us/library/cc700828.aspx)
. Microsoft Security
TechCenter. Microsoft Corporation. Retrieved 14 October 2013.
3. Zeltzer, Lenny (April, 2002). "Firewall Deployment for Multitier Applications"(https://zeltser.com/firewalls-for-multitier-
applications)
4. Young, Scott (2001). "Designing a DMZ" (https://www.sans.org/reading-room/whitepapers/firewalls/designing-dmz-95
0). SANS Institute. p. 2. Retrieved 11 December 2015.
Retrieved from "https://en.wikipedia.org/w/index.php?title=DMZ_(computing)&oldid=818319943
"

This page was last edited on 2 January 2018, at 21:49.

Text is available under theCreative Commons Attribution-ShareAlike License ; additional terms may apply. By using this
site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of theWikimedia
Foundation, Inc., a non-profit organization.