In the previous articles on designing the ideal network security perimeter (part 1 and part 2), we examined what layers should be in place and how to harden security device configurations. Now it’s time to talk about how to create and secure the DMZ. The first thing I think of when the acronym DMZ (Demilitarized Zone) is used is some type of neutral ground on the border of a military dispute (the Vietnamese and Korean demilitarized zones come to mind). These zones are always put in place between a zone of trust and a zone of distrust (depending on your perspective). Within these demilitarized zones there is always access from both sides of the border, both the trusted and distrusted, to discuss treaties, concerns, etc. related to the government and military establishment from both sides.
It’s no surprise that when networks were first created there was an immediate need to have certain systems exposed to the outside world, but yet not allowed to access the internal LAN. The military coined term DMZ is used to describe this network from an information security architecture perspective and it fits perfectly. Let’s examine how to create a DMZ and how to build security outside of the DMZ.
Creating a DMZ
I’ve heard the analogy that a DMZ is similar to the front yard of your house. The house is your property, but you wouldn’t store anything of value on the front lawn where anyone can publicly drive by and take it. You’d put all your money, gems and gold inside a safe in the basement of the house, instead of leaving them out on your driveway. This is similar to a DMZ from a security perspective. You want people on the Internet to browse your sites and services, but you don’t want to have confidential or privileged data within the DMZ (e.g. domain controllers, databases, etc.) to be exposed.
A DMZ is essentially an isolated network that allows publicly accessible services to an external network (aka the Internet). This is done either on a separate firewall or with the creation of zones on a firewall. This is also be determined by interfaces on the firewall or filtering device with the end result being to separate the LAN from the DMZ. The creation of rules with only the minimal needed traffic between the hosts and zones is mandatory. Consider the DMZ as a dangerous place and make sure that systems within the LAN aren’t fraternizing with systems in the DMZ without being filtered (more about that later).
Securing External Access to the DMZ
When securing the DMZ, make sure it is completely locked down from both ends. Locking down the perimeter isn’t going to help if it’s not locked down internally (we’ll examine this more in our next blog). When creating a DMZ there should be at least a front-end firewall for the external traffic and a back-end firewall for the internal traffic.
External access to the systems in the DMZ should be locked down to only the recommended ports, users and services needed to perform the given function. For example, if you have web servers in your DMZ, while you want visitors to come to your site, you don’t want them doing anything more to these systems. Access to your systems externally within the DMZ should be on a “need to know basis”. Firewall rules should be completely tightened on all publicly available systems to allow traffic to only the necessary ports and services living within the DMZ. There should be no exceptions here!
In our next blog, we’ll examine how to build security from within the DMZ since you need security at both ends.
Receive notifications of new posts by email.