A DMZ (demilitarized zone), also often referred to as a perimeter network or a screened subnetwork, is a physical or logical subnet that separates an internal local area network (LAN) from other non-trusted networks. It is usually a public Internet external-facing server, resource, and services located in the DMZ. While they are accessible from the Internet, the rest of the internal LAN is unavailable. This provides an additional layer of security to the LAN as it restricts a hacker’s ability to access internal servers and data directly through the Internet. Any services offered to users on the public internet should be placed on the DMZ network itself. Some of the common services include web servers and proxy servers, as well as email, domain name system (DNS), file transfer protocol (FTP), and voice over IP (VoIP) servers.
The architecture of network DMZs
There are various ways to design a network with a DMZ but there are two basic methods are to use:
- Single firewall
- Dual firewall
A single firewall can be used to create a network architecture consisting of DMZ with at least 3 network interfaces, and the first consists of an external network from the ISP to the firewall on the network interface, then the second network interface to the internal network, and The third network interface consists of a DMZ. The firewall becomes a point of failure for the network and must be able to handle all traffic going to the DMZ as well as the internal network.
A more secure approach is the use of two firewalls to create a DMZ. The first firewall is also called a “front-end” firewall, which should be further configured to assign only DMZ to traffic. The second firewall is also called a “back-end” firewall, which allows only traffic from the DMZ to the internal network. This setup is considered more secure because two devices will need to be compromised. This architecture is, of course, and this dual firewall is more expensive.
Benefits of DMZ
The primary advantage of a DMZ is that it allows users access to some protected resources from the public Internet while also retaining a firewall between certain users and the internal private network. The protection advantages of this buffer are manifested in many respects, including:
- Protection against IP spoofing: In some cases, hackers try to bypass access control restrictions by spoiling your IP address authorized to place another device on your network. The DMZ can intercept potential IP spoofers while another service on the network tests the validity of the IP address to verify if it is available. In every case, the DMZ provides a level of segmentation of the network that creates a gap where it is possible to organize traffic and to access public services at a safe distance from the private network.
- Prevent attackers from performing network reconnaissance: A DMZ acts as a buffer and also prevents a hacker from being able to eject potential targets within the network. Even though a system within the DMZ is compromised, the private network is still protected by an internal firewall that separates it from the DMZ. For the same reason, it also makes it more difficult for external reconnaissance. Although the servers in the DMZ are exposed to the public, another layer of security protects them.
- Access Control for Organizations: Organizations may provide users with connections through the public Internet to networks located beyond their network perimeters. A DMZ network offers access to these required resources while also adding a level of network segmentation that raises the number of thresholds that must be bypassed by an unauthorized user before they can access the private network of an organization. In some cases, a DMZ also includes a proxy server, which centralizes the flow of internal – and usually employee – Internet traffic and makes it easier to record and monitor that traffic.
What is a DMZ host?
Some domestic routers refer to a host DMZ, which in many cases is simply a misnomer. A single address (e.g., IP address) on an internal network is a home router DMZ host, in which all traffic cannot be routed to other LAN hosts. By definition, this is not a true DMZ (demilitarized zone), as this router alone does not completely separate the host from the internal network. In other words, the DMZ host is able to connect to other hosts on the internal network, while the host within the actual DMZ is prohibited from connecting to the internal network through a separate firewall unless the link is allowed by the firewall.