==
Home » Uncategories » DMZ or demilitarized zone

DMZ or demilitarized zone

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a usually larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled.
The name is derived from the term "demilitarized zone", an area between nation states in which military operation is not permitted.

Architecture[edit]

There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single firewall, also known as the three legged model, and with dual firewalls. These architectures can be expanded to create very complex architectures depending on the network requirements.

Single firewall[edit]

Diagram of a typical three-legged network model employing a DMZ using a single firewall.
A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network. The zones are usually marked with colors -for example, purple for LAN, green for DMZ, red for Internet (with often another color used for wireless zones).

Dual firewall[edit]

Diagram of a typical network employing DMZ using dual firewalls.
The most secure approach, according to Stuart Jacobs,[1] is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" or "perimeter"[2] firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" or "internal" firewall) only allows traffic from the DMZ to the internal network.
This setup is considered[1] more secure since two devices would need to be compromised. There is even more protection if the two firewalls are provided by two different vendors, because it makes it less likely that both devices suffer from the same security vulnerabilities. For example, accidental misconfiguration[dubious – discuss] is less likely to occur the same way across the configuration interfaces of two different vendors, and a security hole found to exist in one vendor's system is less likely to occur in the other one. One of the drawbacks of this architecture is that it's more costly, both to purchase, and to manage.[3] The practice of using different firewalls from different vendors is sometimes described as a component of a "defense in depth"[4] security strategy.

Services in the DMZ[edit]

Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are:
Web servers that communicate with an internal database require access to a database server, which may not be publicly accessible and may contain sensitive information. The web servers can communicate with database servers either directly or through an application firewall for security reasons.
E-mail messages and particularly the user database are confidential, so they are typically stored on servers that cannot be accessed from the Internet (at least not in an insecure manner), but can be accessed from email servers that are exposed to the Internet.
The mail server inside the DMZ passes incoming mail to the secured/internal mail servers. It also handles outgoing mail.
For security, compliance with legal standards such as HIPAA, and monitoring reasons, in a business environment, some enterprises install a proxy server within the DMZ. This has the following benefits:
  • Obliges internal users (usually employees) to use the proxy server for Internet access.
  • Reduced Internet access bandwidth requirements since some web content may be cached by the proxy server.
  • Simplifies recording and monitoring of user activities.
  • Centralized web content filtering.
reverse proxy server, like a proxy server, is an intermediary, but is used the other way around. Instead of providing a service to internal users wanting to access an external network, it provides indirect access for an external network (usually the Internet) to internal resources. For example, a back office application access, such as an email system, could be provided to external users (to read emails while outside the company) but the remote user would not have direct access to their email server. Only the reverse proxy server can physically access the internal email server. This is an extra layer of security, which is particularly recommended when internal resources need to be accessed from the outside. Usually such a reverse proxy mechanism is provided by using an application layer firewall as they focus on the specific shape of the traffic rather than controlling access to specific TCP and UDP ports as a packet filter firewall does.


Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are:




Admin

Pro Teknologi dibuat pada 22 Februari 2017. Blog ini adalah harapan saya agar dapat membagi manfaat kepada orang lain,berupa tips-tips Seputar Blog,Internet,Komputer,dan Info-Info Menarik lainnya.

0 Response to "DMZ or demilitarized zone"

Post a Comment

Subscribe to: Post Comments (Atom)