In computer security, a DMZ (sometimes referred to as a perimeter networking) is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to a larger untrusted network, usually the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization’s local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term “demilitarized zone”, an area between nation states in which military action is not permitted.
Most firewalls are network-level security devices, usually an appliance or an appliance in combination with network equipment. They are intended to provide a granular means of access control at a key point in a business network.
A common DMZ meaning is a subnetwork that sits between the public internet and private networks. It exposes external-facing services to untrusted networks and adds an extra layer of security to protect the sensitive data stored on internal networks, using firewalls to filter traffic.
It is ideally located between two firewalls, and the DMZ firewall setup ensures incoming network packets are observed by a firewall—or other security tools—before they make it through to the servers hosted in the DMZ.
This means that even if a sophisticated attacker is able to get past the first firewall, they must also access the hardened services in the DMZ before they can do damage to a business.
The end goal of a DMZ is to allow an organization to access untrusted networks, such as the internet, while ensuring its private network or LAN remains secure. Organizations typically store external-facing services and resources, as well as servers for the Domain Name System (DNS), File Transfer Protocol (FTP), mail, proxy, Voice over Internet Protocol (VoIP), and web servers, in the DMZA DMZ is intended to host systems that must be accessible to the Internet but in different ways than your internal network.
The degree of availability to the Internet at the network level is controlled by the firewall. The degree of availability to the Internet at the application level is controlled by software n really a combination of Web server, operating system, custom application, and often database software.
The DMZ typically allows restricted access from the Internet and from the internal network. Internal users must typically access systems within the DMZ to update information or to use data gathered or processed there.
The DMZ is intended to allow the public access to information through the Internet, but in limited ways. But since there is exposure to the Internet and a world of ingenious people, there is an ever present risk that these systems can be compromised.
The impact of compromise is twofold: first, information on the exposed system(s) could be lost (i.e., copied, destroyed, or corrupted) and second, the system itself may be used as a platform for further attacks to sensitive internal systems.
To mitigate the first risk, the DMZ should allow access only through limited protocols (e.g., HTTP for normal Web access and HTTPS for encrypted Web access). Then the systems themselves must be configured carefully to provide protection through permissions, authentication mechanisms, careful programming, and sometimes encryption.
Think about what information your website or application will be gathering and storing. That is what can be lost if systems are compromised through common Web attacks such as an SQL injection, buffer overflows or incorrect permissions.
To mitigate the second risk, DMZ systems should not be trusted by systems deeper on the internal network. In other words, DMZ systems should know nothing about internal systems though some internal systems may know about DMZ systems.
In addition, DMZ access controls should not allow DMZ systems to initiate any connections further into the network. Instead, any contact to DMZ systems should be initiated by internal systems. If a DMZ system is compromised as an attack platform, the only systems visible to it should be other DMZ systems.
A dual firewall configuration entails deploying two firewalls with a DMZ between them is generally a more secure option. The first firewall only allows external traffic to the DMZ, and the second only allows traffic that goes from the DMZ into the internal network.
An attacker would have to compromise both firewalls to gain access to an organisation’s LAN.
Organizations can also fine-tune security controls for various network segments.
This means that an intrusion detection system (IDS) or intrusion prevention system (IPS) within a DMZ could be configured to block any traffic other than Hypertext Transfer Protocol Secure (HTTPS) requests to the Transmission Control Protocol (TCP) port 443.