January 19, 2012

1.3.1 DMZ

DMZ

In military terms, a demilitarized zone (DMZ) is an area, usually the frontier or boundary between two or more military powers (or alliances), where military activity is not permitted, usually by peace treaty, armistice, or other bilateral or multilateral agreement.
Pic from sheylara.com

By implementing intranets, extranets, and DMZs, you can create a reasonably secure environment for your organization.

In computer security, a DMZ (or perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet.
The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

Hosts in the DMZ provide services such as e-mail, web and Domain Name System (DNS) servers to users outside of the local area network. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network and an intervening firewall controls the traffic between the DMZ servers and the internal network clients.

A single firewall can be used to create a network architecture containing a DMZ. However a more secure approach uses two firewalls to create a DMZ. The first firewall is configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network.

This setup is considered more secure since two devices would need to be compromised. There is even more protection if the two firewalls are provided by two different vendors, because it makes it less likely that both devices suffer from the same security vulnerabilities.

A DMZ is an area where you can place a public server for access by people you might not trust otherwise. By isolating a server in a DMZ, you can hide or remove access to other areas of your network.
A host that exists outside the DMZ and is open to the public is often called a bastion host.

References:

  • http://en.wikipedia.org/wiki/DMZ_(computing)
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney


No comments:

Post a Comment