What is DMZ (demilitarized zone)?
What is DMZ (demilitarized zone)?
DMZ on the network allows systems that are accessible to the general public and the Internet to be distinguished from systems that users of an organization can only use. DMZ is a communication boundary between two networks that do not trust each other. Since there is no trust in the Internet space, it can be done using the DMZ structure, which is usually designed by firewalls or proxy servers and placed in different layers of the network. It raises trust in business and external communications.
Introduction
One of the most common uses of a firewall is to give special authority to a specific group of users to use a resource and prevent those from outside the group from accessing the resource. Another use of a firewall is to prevent a series of computers from connecting directly to the outside world.
These systems work so that all communications are routed to a firewall through a proxy server, and the same server decides whether a message or a file is safe to pass through the network. This security system is usually a combination of hardware and software. Is. Due to the standard’s requirements (ISMS & ISO), firewalls have become an integral part of computer networks and become one of network administrators’ main concerns. According to the sensitivity of each organization, the layering and power of firewalls are considered.
What is a Demilitarized Zone?
DMZ stands for Demilitarized Zone and usually refers to parts of the network that are not completely reliable. DMZ is a communication border between two networks that do not trust each other since there is no trust in the Internet space. So it can be done using the DMZ structure, which is usually designed by firewalls or proxy servers and placed in different layers of the network. It raises trust in business and external communications.
In a simple DMZ structure on a typical network, a server or computer, referred to as the Host, sits in the DMZ environment and receives all the requests that internal users have to communicate outside the network.
After receiving these request packages (for example, a website request), the server redirects them to the public network or the Internet. It then sends the response to these requests in the same session created by the internal user. It is noteworthy that in this type of simple design, no traffic can enter from the external network to the internal network.
Users on the Internet or external network can only access the Host used for DMZ and will not have access to the internal network. Another thing that can be done on this Host is that web pages to be accessed by the organization on the Internet can be placed on this Host. However, it should be noted that DMZ will not have access to the internal network in this case. Suppose that, in this case, a hacker intends to attack the organization’s website; even if he succeeds in hacking these pages, he will not have access to specific information about the organization’s internal network and private information.
If we want to define DMZ in terms of security, we can also introduce it as advanced settings in network firewalls. In DMZ settings, most computers on a LAN are located behind a firewall connected to the Internet or public network.
On the other hand, one or more servers are located after the firewall, i.e., they are not in the internal network. These servers, which are located after the firewall, receive requests from internal users as announced from the internal network, and then they Are sent to the Internet network to which they are connected. This is exactly the security concept that is intended. In most government agencies and even corporations, there are services that organizations intend to provide offline, such as a corporate website or portal, an email service, a hosting web service, or even a DNS service.
Suppose you put these services inside the internal network and allow users who want to use these services to access the internal network from the Internet. This is a security vulnerability, so general use of DMZ design is always recommended for such services.
In such cases, you place the services and servers you want in the DMZ environment and create a limited connection to the internal network for them, a connection that is at a very low level and with a lower percentage of risk than normal network communications.
DMZ is designed to protect against attacks that are performed from outside the organization to services, and usually, in this type of design, the risks of the internal network of the organization, such as Spoofing and Sniffing. . . They are not seen. In addition, we can put services in DMZ. We put services that need public access in this area of the network.
The most important and famous services that are located in the DMZ section of the network are as follows
1- Web servers or Web Servers
2- VoIP servers
3- Email servers
4- FTP servers
The important point here is that enterprise web servers are usually not static pages that are just a few but dynamic pages that have a database in the background; these web servers should be able to do this. Use the database, as a rule, and if you put it in the DMZ environment, it would be wrong; in this case, the database is placed either in the internal network and behind the firewall or a firewall and in the network. Put in the same DMZ design. If a hacker manages to infiltrate the website, he will only have access to the web pages. He will not be able to attack the data and information in the database behind another firewall.
Email services also have their user information and database that must be protected. We put them behind a separate firewall; usually, email servers support a Webmail service that can be accessed via the web; you can put your email server behind a DMZ firewall and Publish an email webpage for public access through a feature called Publishing.
Email servers must manage both incoming and outgoing email traffic properly, the design of DMZs varies according to the services available on the network, and the DMZ is not a static structure. Due to security issues and monitoring issues in a business environment, most organizations and companies set up a Proxy Server in their DMZ area. Setting up this server in this environment has several advantages as follows:
- Forcing internal users to use Proxy Servers to use the Internet
- Reduce the need for additional bandwidth on the Internet due to the use of cache in the proxy server
- Centralize the process of filtering websites and web content
- Simplify the recording process and monitor users’ use of the Internet
If the user needs to be able to access the internal network from the outside, will the DMZ structure allow him to do so or not? In answer to this question, we must say that there is a service called Reverse Proxy that allows external users to access the internal resources of the network. Just as Proxy Server serves internal users, Reverse Proxy does the opposite. Give external users internal access.
There are many ways to design a DMZ, and anyone can have their organization-specific design of this method according to the existing conditions. In DMZ designs, you can use a single firewall with three network cards or several separate firewalls. How you design a DMZ depends entirely on your organizational needs. Here are two common ways to design a DMZ:
DMZ using a firewall
In this case, you have a hardware or software firewall with at least three network cards, and your DMZ design fits into these three network cards. Your external connection, which connects to the Internet and the ISP network, connects to the first network card.
Your internal network connects to the existing second network card, and eventually, your DMZ network connects to the third network card on the firewall. Here our firewall has created a Single Point Of Failure, which means that if this firewall disappears or malfunctions, all the connected networks will have problems.
Also, if there is a lot of traffic between networks, this firewall alone may not be able to provide service, and your network may slow down. Each of these network cards is called a Zone. Purple is commonly used to document this structure for the internal network, green for the DMZ network, and red for the Internet.
DMZ is using two firewalls
Using two firewalls in the DMZ design gives you one of the most secure designs in the DMZ. The first firewall, also called the front-end firewall, is configured to receive and send traffic from the Internet, which first connects to a zone known as the DMZ. The second firewall is configured to manage incoming and outgoing traffic to the internal network and is called a back-end firewall.
Conclusion
Restricting access to internal and organizational networks, integrated threat management, delegating special authority to a specific group of users to use a resource, as well as preventing those from outside the group from accessing the resource Importance of using a firewall to prevent It doubles the direct connection of the computer to the system and internal organizations.
DMZ can be an important component of environmental security design to protect the private network. In most government agencies and even corporations, there are services that organizations intend to provide outside the network. It is always recommended to use DMZ design for such public services. There are many ways to design DMZ, and everyone Can have a special design of its organization according to the existing conditions of this method.