A demilitarized zone (DMZ) is a part of a private (usually corporate) network that permits controlled access from the Internet. Servers that are accessed by people and systems in the Internet are placed in an isolated part of the private network and shielded from the rest of the network by a firewall. In a true DMZ, no inbound traffic is submitted to the firewall protecting the private network unless it is first handled by a server in the DMZ.
The basic rationale of a DMZ is that it is inherently dangerous to permit any traffic coming from the Internet to touch the private network in any way. A DMZ is part of a multi-layered security configuration. The most common type of servers placed in the DMZ are web servers, email servers, and DNS servers, although any type of server may be placed in this portion of the network.
The servers in a DMZ act as communication proxies, and are thus known as proxy servers. Traffic between internal systems and the external Internet pass through these servers, which provide a layer of security for the systems and applications within the corporate network.
A good example is email. Because the external email server is exposed to the Internet, it is not a good place to store email. Most corporations implement an email server in the private portion of the network that is the true repository of user email. When someone in the Internet sends a user an email, the email is delivered to the external email server in the DMZ. This server implements spam filtering rules, scans emails for viruses and other malware, and then forwards sanitized email through the firewall to the email server inside the private network. The levels of protection here are significant. The router is programmed to forward all packets containing the email protocol (SMTP) to the external email server. The firewall is programmed to only accept packets containing the SMTP protocol from the external proxy email server. The internal email server is programmed to accept SMTP connection requests only from the external email server. If the external email server is kept up-to-date, patched, and loaded with the latest virus and spam protection rules, the combination of all of this makes it very unlikely (but not impossible) that a compromised email message will reach the user within the corporate network.
The are several possible configurations possible for a DMZ. We will quickly examine three fairly common configurations.
One Firewall - Weak Configuration
Technically, this is actually not a DMZ configuration. The reason why it would not be considered a "true" DMZ is because the firewall is receiving packets directly from the Internet, which exposes it more directly to attacks. It is also very common, in this configuration, for the firewall to be functioning as a simple security switch for the external servers. That is to say, the servers are not true proxies; instead, the firewall is merely implementing stronger filtering rules for the internal network than it is for the external network. That would be the weakest security configuration, essentially only one step up from providing no firewall protection at all.
That being said, this configuration is very commonly found is and pretty commonly referred to as a DMZ.
One Firewall - Strong Configuration
This configuration is significantly stronger. The router is programmed to forward all in-bound traffic to the relevant proxy server in the DMZ. The firewall is programmed to accept inbound packets only from these proxies, and never from the router. It is also programmed to forward all outbound traffic to the appropriate proxy and the router is programmed to only receive outbound traffic from the proxies. This is a true DMZ configuration and can be very secure. If the router also implements simple packet filters as a first line of defense, the strength of this configuration is enhanced.
Two Firewall Configuration
If one firewall is strong, two firewalls can be stronger. In this configuration, a firewall backs up the access router and provides a stronger level of protection for the proxies and the internal firewall. The strength of the configuration is enhanced if the two firewalls are from different vendors. Presumably, if someone were able to crack the external firewall, they would be faced with a completely different platform trying to break into the internal firewall.
|<mp3>http://podcast.hill-vt.com/podsnacks/2007q4/dmz.mp3%7Cdownload</mp3> | Demilitarized zone (DMZ)|