What Is A DMZ Network And How Is It Implemented?
In The World Of Computer Networks, A Demilitarized Zone (DMZ) Is A Logical Or Physical Subnet That Provides An Organization’s External Services In Interaction With An Unreliable Network Such As The Internet.
More precisely, DMZ is a protected network between an unreliable network such as the Internet and a secure internal network. The purpose of a DMZ is to add an extra layer of security to the organization’s local area network so that hackers can be directed to a specific point specified by the organization instead of going to different parts of a network.
Most organizations use different technologies such as firewalls, closed filters, proxy servers, and Inspect Stateful interactions with DMZ to more accurately protect infrastructure.
Based on this definition, we understand that DMZ is a small and isolated network between the Internet and the private network.
What is DMZ?
Before we explore what DMZ does and it should implement, it is important to understand its meaning. DMZ stands for Demilitarized Zone.
While the DMZ does not belong to any enclosed networks, it is not suitable for military or sensitive operations, as it is always likely to be compromised.
DMZ is a gateway to the public Internet and, therefore, not as secure as the internal network, but it is not as insecure as the public Internet.
Hosts within the DMZ are only allowed to have communication channels limited to certain hosts on the internal network because DMZ content is not as secure as the internal network.
Similarly, communication between hosts in the DMZ and communication with the external network is restricted to provide more security in the area and allow specific services.
Familiarity with the architecture of the civilian area
To get a more accurate understanding of DMZ, we must first examine the DMZ architecture in the network. There are several ways to design a network with a DMZ pattern.
The two main methods are to use one or two firewalls, although most modern DMZs are designed with two firewalls. The above approach can be extended to implement more complex architectures.
The external network is connected to the firewall at the first network interface by connecting to the public Internet through the Internet Service Provider (ISP).
The internal network is implemented by connecting to the second network interface and the DMZ network itself, which connects to the third network interface. Figure 1 shows the architecture of a DMZ-based network.
figure 1
Different firewall policies are set up to monitor the traffic exchanged between the Internet and the civilian network, the local network and the civilian network, and the local network and the Internet.
They are the Internet, and thus the connection of certain hosts to the local network is restricted to prevent unwanted connections to the Internet or local area network. Organizations are trying to implement a DMZ network between two firewalls for added security.
The first firewall, called the Perimeter Firewall, is implemented and configured to allow only external traffic to the DMZ destination. The second firewall, an internal firewall, only allows traffic from the DMZ to the internal network.
The above approach provides more security because it must go through two devices for an attacker to access the local LAN.
For example, a network intrusion detection system located within the DMZ should be configured to block all traffic except HTTPS requests to port 443.
How does a civilian network work?
Civilian networks are implemented to act as a barrier between the public Internet and the private network. Implementing a civilian network between two firewalls means that all network input packets are evaluated using a firewall or security policy before reaching the organization’s host servers in the DMZ.
If a hacker can get through the first firewall, he must gain unauthorized access to the services to carry out malicious operations; however, systems based on such networks are prepared to deal with such threats.
However, if a hacker can cross the external firewall barrier and control DMZ-hosted systems, they will still have to go through the internal firewall defense mechanisms to access critical organizational resources.
Why should we use the civilian zone mechanism?
The main advantage of using DMZ is that it allows cyberspace users to access certain services while creating a secure barrier between users and the private internal network. However, the potential benefits of the civilian area include the following:
Access control for the organization
Organizations can allow users outside the private network to access the organization’s various services, whether commercial or non-commercial. Access to email services such as Gmail is based on this rule.
The DMZ network provides various defense mechanisms to prevent unauthorized users from accessing the private network. In most cases, the civilian area is a proxy server that concentrates internal traffic flow and facilitates traffic monitoring and recording.
Prevent network detection attacks
Because DMZs act as a buffer, they do not allow reconnaissance and reconnaissance attacks to be successful. Even if a system in the DMZ is compromised, the private network is protected by an internal firewall that separates the private network from the DMZ. In addition, DMZ makes it more difficult for hackers to implement network attacks successfully.
When DMZ servers are visible to users, but an invisible layer of protection protects them. In such cases, if hackers can seriously challenge servers inside the civilian area, they still do not have access to the private network because a layer of protection protects the civilian area.
Protection against IP address forgery
Sometimes hackers try to circumvent some restrictions on access control by forging an IP address to gain access. In such cases, the civilian area could delay the hackers’ work or, in more advanced cases, allow network services to provide services based on valid IP addresses.
The civilian zone provides a precise mechanism for traffic management by providing a level of network classification so that services are publicly available to users, but the private network is completely secure.
Why is a civilian network used?
Civilian networks are one of the most important mechanisms available to security and network teams. Hackers use civilian networks to separate and keep target systems and internal networks out of reach.
The DMZ mechanism is an old way of hosting corporate resources so that organizations can easily provide access to users and, at the same time, think about generating revenue.
Over the past few years, organizations have moved extensively to virtual machines and containers to separate different parts of the network and specific applications from other parts of the organization.
In addition, super-centric technologies have significantly reduced organizations’ reliance on internal web servers.
Take a look at some of the famous and well-known DMZs
Some cloud service companies, such as Microsoft Azure, have used a hybrid security mechanism in which a DMZ is placed between the organization’s internal and virtual networks.
Such a mechanism is used when external traffic needs to be reviewed, or different traffic control between the virtual network and the internal data center is required.
On the other hand, DMZ works well on home networks where computers and other devices are connected to the Internet via a router and configured on a local area network.
Some home routers have the ability to host DMZ, which is significantly different from the DMZ subnet implemented by organizations because, in an organization, the number of devices connected to the network is more than homes.
The DMZ hosting capability allows a device in the home network to act as a DMZ outside the firewall, while other parts of the home network are within the firewall.
Sometimes, a game console is chosen to host the DMZ so that the firewall does not interfere with the online streaming of packets. In addition, a game console is a good option for hosting DMZ, as it has less sensitive information than a computer.
In addition, DMZ provides a powerful way to reduce security risks associated with Operational Technology concerning applications such as the cloud.
Industrial equipment such as turbine engines or SCADA systems have been fully integrated with information technology to make operating environments smarter and more efficient, but threats have also increased accordingly.
Most Internet-connected operational technology equipment is not designed to be able to manage attacks like conventional network equipment.
Thus, compromising operational technology can allow hackers to enter sensitive parts of a production unit more easily, cause equipment failure, or cause serious damage to critical infrastructure.
This year (2021), parts of US oil pipelines were attacked by ransomware, resulting in the shutdown of refinery equipment and refinery feed injections.
Following the cyber-attack and the shortage of gasoline at gas stations and rising prices, several drivers in the southeastern United States have begun buying and storing gasoline.
In this regard, the American Automobile Association announced that due to the gasoline shortage, the average price of gasoline on Tuesday, May 11, 2021, reached $ 2.98 per gallon, which is the highest price since November 2014.
A state of emergency has been declared in North Carolina, Virginia, and Florida due to fuel shortages.
The company’s website was periodically made inaccessible so that hackers could not carry out another attack.
In response, Colonial said the website problem had nothing to do with the cyberattack but apparently blocked its computer network from communicating with users outside the United States to fear being attacked.
DMZ is not used between IT and operations technology to enable OSS devices to deal with ransomware.
The purpose of using DMZ is to classify and segment networks to reduce damage from hacking attacks. As in the example above, companies do not have to pay millions of dollars.
How to install DMZ on servers?
Before you decide to configure a DMZ, you need to determine what services should run on each server. Typically, a DMZ server runs physically and logically on a different part of the network.
This means must use a separate server to host services that are supposed to be public, such as domain name system, web, email, etc.
Functionally, it is better to implement the civilian area on a different subnet from the local network. To build a civilian area network, you must have a firewall with three network interfaces, one for untrusted networks, one for the civilian area, and one for the internal network.
All servers to be connected to the external network must be located in the civilian area network, and all servers with sensitive data must be located behind the firewall.
When configuring a firewall, you must place strict restrictions on the traffic to enter the internal network. Next, NAT must be prepared for computers on the local network to provide Internet access to the client hosts.
In addition, clients must be allowed to connect to DMZ servers.
Figure 2 shows how to set up a civilian area network. It is better to use two firewalls to improve the security level. In the above architecture, one of the firewalls allows only DMZ traffic to pass through, while the second firewall allows DMZ traffic to pass through the internal network.
In this case, an additional layer of security is created because if a hacker can access the internal network, he must cross the barrier of two security mechanisms.
The three grids represent the DMZ grid architecture with two firewalls. Next, NAT must be prepared for computers on the local network to provide Internet access to the client hosts.
In addition, clients must be allowed to connect to DMZ servers.
Figure 2 shows how to set up a civilian area network. It is better to use two firewalls to improve the security level.
In the above architecture, one of the firewalls allows only DMZ traffic to pass through, while the second firewall allows DMZ traffic to pass through the internal network.
In this case, an additional layer of security is created because if a hacker can access the internal network, he must cross the barrier of two security mechanisms.
The three grids represent the DMZ grid architecture with two firewalls.
Next, NAT must be prepared for computers on the local network to provide Internet access to the client hosts. In addition, clients must be allowed to connect to DMZ servers. Figure 2 shows how to set up a civilian area network.
It is better to use two firewalls to improve the security level. In the above architecture, one of the firewalls allows only DMZ traffic to pass through, while the second firewall allows DMZ traffic to pass through the internal network.
In this case, an additional layer of security is created because if a hacker can access the internal network, he must cross the barrier of two security mechanisms. The three grids represent the DMZ grid architecture with two firewalls.
In addition, clients must be allowed to connect to DMZ servers. Figure 2 shows how to set up a civilian area network.
It is better to use two firewalls to improve the security level. In the above architecture, one of the firewalls allows only DMZ traffic to pass through, while the second firewall allows DMZ traffic to pass through the internal network.
In this case, an additional layer of security is created because if a hacker can access the internal network, he must cross the barrier of two security mechanisms. The three grids represent the DMZ grid architecture with two firewalls.
In addition, clients must be allowed to connect to DMZ servers.
Figure 2 shows how to set up a civilian area network. It is better to use two firewalls to improve the security level.
In the above architecture, one of the firewalls allows only DMZ traffic to pass through, while the second firewall allows DMZ traffic to pass through the internal network.
In this case, an additional layer of security is created because if a hacker can access the internal network, he must cross the barrier of two security mechanisms.
The three grids represent the DMZ grid architecture with two firewalls. In the above architecture, one of the firewalls allows only DMZ traffic to pass through, while the second firewall allows DMZ traffic to pass through the internal network.
In this case, an additional layer of security is created because if a hacker can access the internal network, he must cross the barrier of two security mechanisms.
The grid shows the three architectures of the DMZ grid with two firewalls.
In the above architecture, one of the firewalls allows only DMZ traffic to pass through, while the second firewall allows DMZ traffic to pass through the internal network.
In this case, an additional layer of security is created because if a hacker can access the internal network, he must cross the barrier of two security mechanisms. The grid shows the three architectures of the DMZ grid with two firewalls.
figure 2
Figure 3
For systems within a DMZ network to be more secure and not easily fall victim to hacking attacks, it is best to disable all unnecessary services and domains, run services as chrooted as possible, do not forget to delete or deactivate user accounts, configure Report and review reports regularly and use firewall security policies and anti-IP address counterfeiting capabilities.