What is a DMZ and how to protect your network
Demilitarized Zone (DMZ) is a buffer zone that prevents unwanted communications without jeopardizing or interrupting services. The DMZ receives all incoming packets from the outer network, verifies them and then takes appropriate action as per the firewall rules defined by the security administrators.
There is a classic DMZ which consist of 2 firewalls, perimeter,which allows traffic into DMZ only zone and the second allows traffic from DMZ to internal network. This type of zone is considered more secure since 2 devices would have to be compromised to gain access. It is even more secure if 2 different vendors are used for the devices since it would be less likely that both devices would have the same vulnerabilities. A drawback to this type is cost of equipment. The DMZ configuration is a key aspect for it work effectively.
Hosts in the DMZ are permitted to have only limited connectivity to specific hosts in the internal network, as the content of DMZ is not as secure as the internal network. Similarly communication between hosts in the DMZ and to the external network is also restricted, to make the DMZ more secure than the Internet, and suitable for housing these special purpose services. This allows hosts in the DMZ to communicate with both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients, and another firewall would perform some level of control to protect the DMZ from the external network.
Another type of DMZ is a Service Leg. This is for small business or home networks. The “3 legged” DMZ is constructed with 1 external firewall and is configured for 3 different zones. One zone is the internal network, another is the DMZ network and finally the internet. All of the zones are configured to only “see” or “receive” traffic for it's zone. These configurations are accomplished by rules assigned in the firewall. Each zone has it's own set of rules.
You'll probably want to block traffic from the Internet to the internal computers. You should also restrict traffic from the DMZ to the internal network, as well as traffic from the Internet to the DMZ. Allow only the traffic that is necessary for your users to access the resources they need. This means using the "principle of least privilege" in that your default is to start by denying all traffic and then allowing protocols and opening ports on a "need to know" basis
There is a special use for the anonymous DMZ that's being more popular: creating a "honeynet." This is a network that consists of one or more "honeypot" computers that are designed to lure hackers, either so they can be caught or tracked, or to divert them from the network's real resources. Unlike with other DMZs, you actually want this network to be compromised.
Often the computers on the honeynet are virtual machines that are all installed on a single physical machine, and intrusion detection systems and other monitoring systems are put in place to gather information about the hackers' techniques, tactics and identities.
So as you can see DMZ is not only a place in Korea but also an important part of protecting a network.
No comments:
Post a Comment