SolutionBase: Strengthen network defense with a DMZ (2023)

The concept of DMZ, like many other network security devices
Terms, taken from military terminology. geopolitically one
The Demilitarized Zone (DMZ) is an area that extends between two territories
hostile to each other or on the battle lines of two opposing forces. The term came first
widely used to denote the strip of land bisecting the Korean Peninsula
and separates north from south. In computer networks, the DMZ
it also provides a buffer zone separating an internal network from the common one
hostile territory of the Internet. It is sometimes called "haunted".
subnet" or a "perimeter network", but the goal is still that

In this article, we take a look at how the DMZ works and
different security architectures to build DMZ. In the second article of
In this two-part article, we'll talk about what computers should (and shouldn't) do.
placed in the DMZ and how DMZ activity is monitored.

Unlike the geopolitical DMZ, a DMZ network is nobody's business.
land that belongs to no one. If you create a DMZ for your company, this
It is yours and it is under your control. However, it is an isolated network.
that is separate from your corporate LAN (the "internal" network). EITHER
DMZ uses IP addresses that belong to a different network ID.

If you think of the internal network as the "trusted" network
network and the external public network (Internet) as "untrusted"
network, you can think of the DMZ as a "semi-trusted" area. It is not
as secure as LAN, but since it is behind a firewall it is not as secure either.
It is not safe like the Internet. You can also think of the DMZ as a "link".
Network” which can communicate with Internet and LAN
sit between the two as shown in Diagram A.

Figure A

SolutionBase: Strengthen network defense with a DMZ (1)
The DMZ is located between the "hostile" Internet and the internal network
red corporativa

What it does You can put the computers you need
communicate directly with the Internet (public servers) in the DMZ instead
in your internal network. You are protected by the external firewall,
although they are still endangered simply because they have direct contact with
internet computer Since the DMZ is only "semi-secure", it is
It is easier to hack a computer in the DMZ than on the internal network. The good
What is new is that if a DMZ computer is hacked, it will not be compromised.
security of the internal network since it is in a completely separate place,
isolated network.

Why put a computer on this riskier network? let's give one
Example: to do your job (your member website
public), your web server must be accessible to the Internet. but have one
The server on your network with Internet access represents all
compromised network. There are three ways to reduce this risk:

(Video) Protecting Enterprise Data in Hadoop

  • Ofcouldcounting
    a hosting company that hosts your websites on your computers and networks.
    However, this gives you less control over your web servers.
  • You can host public servers
    Computer with firewall. However, best security practices dictate that your computer's firewall
    should act solely as a firewall (this reduces the likelihood of
    the firewall is compromised), and in practice this would be detrimental
    firewall performance. Even if you have a firewall appliance that has a
    Proprietary operating system, no other services can be installed on it.
  • The third solution is to host the public web
    Servers in a separate and isolated network: the DMZ.

The DMZ is created from two basic components: IP addresses and
firewall Remember that two important features of the DMZ are:

  1. Has a different network ID than internal
    the net
  2. You are disconnected from the Internet and
    internal network through a firewall

IP addressing scheme

A DMZ can use public or private IP addresses,
depending on your firewall architecture and configuration. if you use public
addresses, you usually need to subnet the block of IP addresses you have
Your ISP assigns you, so you have two separate network IDs. One of
Network IDs are used for the external interface of your firewall and
the other is used for the DMZ network.

If you create a subnet in your IP address block, you must configure it
Your router to get directions to the DMZ subnet.

You can create a DMZ within the same network ID you are using
use for your internal networkVirtually
LAN-Identifikation (VLAN).
This is a method of partitioning traffic that shares a
shared switch, creating virtual local area networks as described in the IEEE
802.1q standard. This specification creates a standard way of identifying Ethernet
Frames that contain VLAN membership information.

If you are using private IP addresses for the DMZ, you will need a
NAT (Network Address Translation) device to translate private addresses
a public address at the edge of the Internet. Some firewalls provide an address

Whether to choose a NAT or routed relationship
The relationship between the Internet and the DMZ depends on the applications you use
it must be compatible as some applications do not work well with NAT.


When we say that a firewall should separate the DMZ from both
B. the internal LAN and the Internet, this does not have to be mandatory
buy two firewalls. If you have a "three-legged firewall" (one with min.
at least three network interfaces), the same firewall can serve both functions. Around
On the other hand, there are reasons why you might want to use two separate firewalls.
(a frontend and a backend firewall) to create the DMZ.

Figure A above shows a DMZ using two firewalls,
I callDMZ back to back.a
The advantage of this configuration is that you can use fast packet filtering
Firewall/router at the interface (Internet Edge) to increase performance
their public servers and employ slower Application Layer Filtering (ALF).
Firewall on the backend (next to the corporate LAN) for added protection
to the internal network without affecting the performance of yours
public servers. Each firewall in this configuration has two interfaces. EITHER
The front-end firewall has an external interface to the Internet and an internal
Interface to the DMZ while the back-end firewall has an external interface
the DMZ and an internal interface to the company LAN.

If you use a single firewall to create a DMZ, it will invoke
a3-way DMZ.That's because the
The computer or firewall device interacts with three separate networks:

  1. The internal interface to the trusted network
    (an internal LAN)
  2. The external interface to the unreliable network
    (public internet)
  3. The interface to the semi-trusted network (the

The trihomed DMZ looks like Figure B.

Figura B

SolutionBase: Strengthen network defense with a DMZ (2)
A trihomed DMZ uses a "three-legged" firewall to create it

Even if you use a single Trihomed firewall to protect both
You should be able to configure the DMZ and internal network
Rules to evaluate traffic by origin and destination. That's it,
There should be separate rules for:

  • Incoming traffic from the Internet to the DMZ
  • Incoming traffic from the DMZ to the interior
  • Incoming Internet traffic to the
    red interna
  • Outgoing traffic from the internal network
    o DMZ
  • Outgoing traffic from the internal network
    an internet
  • Outgoing traffic from the DMZ to the Internet

DMZ greatly reduces the complexity of filtering
Traffic because you can have one rule for all computers in the DMZ. If you
would host the public servers on the internal network, you would need
Set up different rules for each hosting server and you would have to "publish"
each server so that it can be accessed from the Internet.

You will probably want to block Internet traffic to
internal computers. You also need to restrict the traffic from the DMZ
internal network and Internet traffic to the DMZ. just allow
the traffic your users need to access the resources they need.
This means using the "principle of least privilege" where your
By default, all traffic is first denied and then logged and allowed
Doors open on a need to know basis.

Manufacturer support for DMZ

Large hardware and software vendors support the DMZ concept
on your products. Cisco routers have multiple LAN ports, one of which is
named DMZ port, and the IOS operating system uses the port address
Translation (PAT) to allow traffic to be routed to multiple servers using a single server
single destination IP address. As the name suggests, it uses port numbers (such as
like 80 for the web server and 25 for the mail server) to differentiate them
multiple servers. This way you can have multiple public servers without
Pay for multiple public IP addresses.

Many firewall devices such as SonicWall are included
three Ethernet ports: one LAN port (for connecting to the internal network), one WAN port
port (to connect to the Internet) and a DMZ port (to connect to the network
domicile of its public servants).

Microsoft ISA Server 2004 Multi-Network Feature
allows you to connect the ISA Server firewall to any number of networks,
limited only by the number of network interface cards you can install in the
Machine. In the new ISA model, no network is automatically "trusted"
How to configure security according to the needs of each network.

Many consider a DMZ to be a "largely open" network,
similar to the geopolitical DMZ where you risk getting shot at every turn
in the. However, not all DMZs are created equal when it comes to space.
security architecture. Even if you put computers in the DMZ, they are there
No way to protect them. The level of security within the DMZ also depends on it.
about the type of servers that are placed there. We can divide the DMZ into two parts
Security categories:

  1. DMZ for unauthenticated or anonymous users
  2. DMZ designed for authenticated access

If you have a web server that you want everyone to be on
Access the Internet (as a web presence that promotes your ad)
company), you must allow anonymous access. you can't just deliver
Authentication data of all strangers who appear on your website.
However, if your Internet-facing servers in the DMZ are used by partners,
Customers or employees working remotely may require authentication
access them. This makes it difficult for a hacker to access.


There is a special use for the anonymous nature of DMZ
most popular: creating a “honey web”. This is a network made up of
of one or more "honeypot" computers designed to attract hackers
– so they can be detected or tracked or redirected from the network
real resources. Unlike other DMZs, actuallywantThis network is compromised.

The computers in the honeynet are often virtual machines
all installed on a single physical computer and intrusion detection
Systems and other surveillance systems are implemented to collect information
about the techniques, tactics and identities of hackers.

Host security in the DMZ

Because the DMZ is a less secure network than the internal network
network, host security is even more important for computers that are "off".
there". Servers in your DMZ should be opened as much as possible
(while maintaining their accessibility for those who need to access them). East

  • All unnecessary services must be disabled.
  • The necessary services will be provided with the minimum
    possible privileges.
  • Strong passwords or passphrases must be used.
  • Unnecessary user accounts should be deleted or
    Disabled and default accounts must be obfuscated by changing the name, changing the
    description etc
  • Systems must have the latest security updates.
    and patches applied.
  • Security logging must be enabled (and you
    should check the logs often!)

The definition of “DMZ” is getting broader
There are other uses for these "semi-trusted" networks. from today
Networks are complex, and security professionals are beginning to realize that
is the concept of "edge" or "perimeter" of the network
outdated; A corporate network has multiple perimeters. This is how DMZs can be
suitable in places other than the edge of the Internet and large
Networks can benefit from having multiple DMZs.


How does a DMZ improve network security? ›

DMZ's are an essential part of network security for both individual users and large organizations. They provides an extra layer of security to the computer network by restricting remote access to internal servers and information, which can be very damaging if breached.

What would we use a DMZ to protect? ›

The purpose of the DMZ is to protect both sides from attack. If North Korea was going to attack South Korea, they would have to pass through this tract of land, giving South Korea a short amount of time to alert that an attack was imminent. Additionally, this allows both sides to better prepare their defenses.

What is a DMZ and what is it used for? ›

A DMZ, short for demilitarized zone, is a network (physical or logical) used to connect hosts that provide an interface to an untrusted external network – usually the internet – while keeping the internal, private network – usually the corporate network – separated and isolated form the external network.

What are some of the benefits of creating a DMZ with two firewalls? ›

Explanation: Setting up a DMZ with two firewalls has its own advantages. The biggest advantage that you can do load balancing. A topology with two firewalls also helps in protecting internal services on the LAN from denial of the service attacks on the firewall's perimeter.

What is an example of DMZ? ›

In military parlance, a demilitarized zone (DMZ) is an area where warring parties agree to lay aside their disagreements to achieve a state of peace — for instance, the narrow strip of land that divides the Korean Peninsula, separating North and South Korea.

How can we improve network security? ›

What are the Ways to Improve Network Security?
  1. Train Your Employees​ Firstly, people, are the foundation of every solid cybersecurity plan. ...
  2. Keep an Eye on Software Vulnerabilities​ ...
  3. Be Careful Responding to Emails​ ...
  4. Physically Protect Your Network​ ...
  5. Use VLAN​ ...
  6. Improve Your Password​ ...
  7. Encrypt the Entire Network​

What type of network is usually protected by DMZ? ›

Any service that is offered to users on the public internet should be set up in the DMZ network. The external-facing servers, services, and resources are usually placed there. Services include web, Domain Name System (DNS), email, proxy servers and File Transfer Protocol (FTP), Voice over Internet Protocol (VoIP).

Does DMZ bypass firewall? ›

A DMZ helps electronic signals bypass strict firewall and router security and open all ports for faster delivery of data packets.

How do you implement DMZ? ›

To set up a default DMZ server:
  1. Launch a web browser from a computer or mobile device that is connected to your router's network.
  2. Enter the router user name and password. The user name is admin. ...
  3. Select ADVANCED > Setup > WAN Setup. ...
  4. Select the Default DMZ Server check box.
  5. Type the IP address.
  6. Click the Apply button.
Jul 16, 2022

What are the characteristics of the DMZ? ›

The DMZ is 250 kilometers (160 miles) long, approximately 4 km (2.5 mi) wide. Though the zone is demilitarized, the border beyond that strip is one of the most heavily militarized borders in the world.

What are three ways to protect your network? ›

10 Proven Ways to Secure a Computer Network
  • Install and monitor firewall performance.
  • Update Passwords When Needed and/or Yearly.
  • Lean on Advanced Endpoint Detection.
  • Create a virtual private network (VPN)
  • Train your employee.
  • Filter and delete spam emails.
  • Shut down computers when not in use.
  • Encrypt your files.

What are the three 3 basic network security measures? ›

Types of Network Security Measures
  • Firewalls. A firewall is a barrier or filter between a given network and the outside world or the internet at large. ...
  • Access Control. ...
  • Network Segmentation. ...
  • Intrusion Prevention Systems.

What is the first step in improving network security? ›

Step 1: Identify connectivity susceptibilities

This step starts with an end-to-end review of the network, including model information and configuration data on routers, switches, firewalls and cabling -- as well as all the computers, servers and peripheral devices connected to them.

Does a DMZ need two firewalls? ›

This implementation uses two firewalls to create a DMZ. The first firewall (also called the "front-end" firewall) must be configured to allow traffic destined for the DMZ only. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network.

Does DMZ forward all ports? ›

DMZ opens up all the ports for one IP address on the LAN. DMZ can be used as an alternative for port forwarding all ports. Enabling DMZ server eases the traffic for gaming devices (XBOX, PlayStation, Wii), DVR (TiVo, Moxi) & devices connecting to the Virtual private network.

What are disadvantages of DMZ? ›

  • Increased complexity: Implementing a DMZ requires additional network configuration and management, which can be complex and time-consuming.
  • Increased cost: Setting up a DMZ requires additional hardware and software, which can increase the overall cost of the network.
Jan 1, 2023

Do DMZ provide security against internal or external threats? ›

DMZ networks isolate internal networks from the prying eyes of the public Internet and address pressing security vulnerabilities. DMZs are excellent buzzer zones to run external-facing servers. These services have the most contact to untrusted networks by isolating them from the internal networks.

Is DMZ a security risk? ›

The DMZ can have a major impact on security if not protected properly. In the event that a hacker gains entry to a file server in the DMZ, they may be able to access and download sensitive data and trading partner files that were placed there.


Top Articles
Latest Posts
Article information

Author: Nicola Considine CPA

Last Updated: 07/30/2023

Views: 6162

Rating: 4.9 / 5 (69 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Nicola Considine CPA

Birthday: 1993-02-26

Address: 3809 Clinton Inlet, East Aleisha, UT 46318-2392

Phone: +2681424145499

Job: Government Technician

Hobby: Calligraphy, Lego building, Worldbuilding, Shooting, Bird watching, Shopping, Cooking

Introduction: My name is Nicola Considine CPA, I am a determined, witty, powerful, brainy, open, smiling, proud person who loves writing and wants to share my knowledge and understanding with you.