SolutionBase: Strengthen network defense with a DMZ (2023)

The concept of DMZ, like many other network security devices
Terms, taken from military terminology. geopolitically one
The Demilitarized Zone (DMZ) is an area that extends between two territories
hostile to each other or on the battle lines of two opposing forces. The term came first
widely used to denote the strip of land bisecting the Korean Peninsula
and separates north from south. In computer networks, the DMZ
it also provides a buffer zone separating an internal network from the common one
hostile territory of the Internet. It is sometimes called "haunted".
subnet" or a "perimeter network", but the goal is still that
same.

In this article, we take a look at how the DMZ works and
different security architectures to build DMZ. In the second article of
In this two-part article, we'll talk about what computers should (and shouldn't) do.
placed in the DMZ and how DMZ activity is monitored.

Unlike the geopolitical DMZ, a DMZ network is nobody's business.
land that belongs to no one. If you create a DMZ for your company, this
It is yours and it is under your control. However, it is an isolated network.
that is separate from your corporate LAN (the "internal" network). EITHER
DMZ uses IP addresses that belong to a different network ID.

If you think of the internal network as the "trusted" network
network and the external public network (Internet) as "untrusted"
network, you can think of the DMZ as a "semi-trusted" area. It is not
as secure as LAN, but since it is behind a firewall it is not as secure either.
It is not safe like the Internet. You can also think of the DMZ as a "link".
Network” which can communicate with Internet and LAN
sit between the two as shown in Diagram A.

Figure A

The DMZ is located between the "hostile" Internet and the internal network red corporativa

What it does You can put the computers you need
communicate directly with the Internet (public servers) in the DMZ instead
in your internal network. You are protected by the external firewall,
although they are still endangered simply because they have direct contact with
internet computer Since the DMZ is only "semi-secure", it is
It is easier to hack a computer in the DMZ than on the internal network. The good
What is new is that if a DMZ computer is hacked, it will not be compromised.
security of the internal network since it is in a completely separate place,
isolated network.

Why put a computer on this riskier network? let's give one
Example: to do your job (your member website
public), your web server must be accessible to the Internet. but have one
The server on your network with Internet access represents all
compromised network. There are three ways to reduce this risk:

• Ofcouldcounting
  a hosting company that hosts your websites on your computers and networks.
  However, this gives you less control over your web servers.
• You can host public servers
  Computer with firewall. However, best security practices dictate that your computer's firewall
  should act solely as a firewall (this reduces the likelihood of
  the firewall is compromised), and in practice this would be detrimental
  firewall performance. Even if you have a firewall appliance that has a
  Proprietary operating system, no other services can be installed on it.
• The third solution is to host the public web
  Servers in a separate and isolated network: the DMZ.

The DMZ is created from two basic components: IP addresses and
firewall Remember that two important features of the DMZ are:

1. Has a different network ID than internal
   the net
2. You are disconnected from the Internet and
   internal network through a firewall

IP addressing scheme

A DMZ can use public or private IP addresses,
depending on your firewall architecture and configuration. if you use public
addresses, you usually need to subnet the block of IP addresses you have
Your ISP assigns you, so you have two separate network IDs. One of
Network IDs are used for the external interface of your firewall and
the other is used for the DMZ network.

If you create a subnet in your IP address block, you must configure it
Your router to get directions to the DMZ subnet.

You can create a DMZ within the same network ID you are using
use for your internal networkVirtually
LAN-Identifikation (VLAN).This is a method of partitioning traffic that shares a
shared switch, creating virtual local area networks as described in the IEEE
802.1q standard. This specification creates a standard way of identifying Ethernet
Frames that contain VLAN membership information.

If you are using private IP addresses for the DMZ, you will need a
NAT (Network Address Translation) device to translate private addresses
a public address at the edge of the Internet. Some firewalls provide an address
Translation.

Whether to choose a NAT or routed relationship
The relationship between the Internet and the DMZ depends on the applications you use
it must be compatible as some applications do not work well with NAT.

Firewall-DMZ

When we say that a firewall should separate the DMZ from both
B. the internal LAN and the Internet, this does not have to be mandatory
buy two firewalls. If you have a "three-legged firewall" (one with min.
at least three network interfaces), the same firewall can serve both functions. Around
On the other hand, there are reasons why you might want to use two separate firewalls.
(a frontend and a backend firewall) to create the DMZ.

Figure A above shows a DMZ using two firewalls,
I callDMZ back to back.a
The advantage of this configuration is that you can use fast packet filtering
Firewall/router at the interface (Internet Edge) to increase performance
their public servers and employ slower Application Layer Filtering (ALF).
Firewall on the backend (next to the corporate LAN) for added protection
to the internal network without affecting the performance of yours
public servers. Each firewall in this configuration has two interfaces. EITHER
The front-end firewall has an external interface to the Internet and an internal
Interface to the DMZ while the back-end firewall has an external interface
the DMZ and an internal interface to the company LAN.

If you use a single firewall to create a DMZ, it will invoke
a3-way DMZ.That's because the
The computer or firewall device interacts with three separate networks:

1. The internal interface to the trusted network
   (an internal LAN)
2. The external interface to the unreliable network
   (public internet)
3. The interface to the semi-trusted network (the
   DMZ)

The trihomed DMZ looks like Figure B.

Figura B

A trihomed DMZ uses a "three-legged" firewall to create it nets

Even if you use a single Trihomed firewall to protect both
You should be able to configure the DMZ and internal network
Rules to evaluate traffic by origin and destination. That's it,
There should be separate rules for:

• Incoming traffic from the Internet to the DMZ
• Incoming traffic from the DMZ to the interior
  LAN
• Incoming Internet traffic to the
  red interna
• Outgoing traffic from the internal network
  o DMZ
• Outgoing traffic from the internal network
  an internet
• Outgoing traffic from the DMZ to the Internet

DMZ greatly reduces the complexity of filtering
Traffic because you can have one rule for all computers in the DMZ. If you
would host the public servers on the internal network, you would need
Set up different rules for each hosting server and you would have to "publish"
each server so that it can be accessed from the Internet.

You will probably want to block Internet traffic to
internal computers. You also need to restrict the traffic from the DMZ
internal network and Internet traffic to the DMZ. just allow
the traffic your users need to access the resources they need.
This means using the "principle of least privilege" where your
By default, all traffic is first denied and then logged and allowed
Doors open on a need to know basis.

Manufacturer support for DMZ

Large hardware and software vendors support the DMZ concept
on your products. Cisco routers have multiple LAN ports, one of which is
named DMZ port, and the IOS operating system uses the port address
Translation (PAT) to allow traffic to be routed to multiple servers using a single server
single destination IP address. As the name suggests, it uses port numbers (such as
like 80 for the web server and 25 for the mail server) to differentiate them
multiple servers. This way you can have multiple public servers without
Pay for multiple public IP addresses.

Many firewall devices such as SonicWall are included
three Ethernet ports: one LAN port (for connecting to the internal network), one WAN port
port (to connect to the Internet) and a DMZ port (to connect to the network
domicile of its public servants).

Microsoft ISA Server 2004 Multi-Network Feature
allows you to connect the ISA Server firewall to any number of networks,
limited only by the number of network interface cards you can install in the
Machine. In the new ISA model, no network is automatically "trusted"
How to configure security according to the needs of each network.

Many consider a DMZ to be a "largely open" network,
similar to the geopolitical DMZ where you risk getting shot at every turn
in the. However, not all DMZs are created equal when it comes to space.
security architecture. Even if you put computers in the DMZ, they are there
No way to protect them. The level of security within the DMZ also depends on it.
about the type of servers that are placed there. We can divide the DMZ into two parts
Security categories:

1. DMZ for unauthenticated or anonymous users
   access
2. DMZ designed for authenticated access

If you have a web server that you want everyone to be on
Access the Internet (as a web presence that promotes your ad)
company), you must allow anonymous access. you can't just deliver
Authentication data of all strangers who appear on your website.
However, if your Internet-facing servers in the DMZ are used by partners,
Customers or employees working remotely may require authentication
access them. This makes it difficult for a hacker to access.

DMZ-Honeynet

There is a special use for the anonymous nature of DMZ
most popular: creating a “honey web”. This is a network made up of
of one or more "honeypot" computers designed to attract hackers
– so they can be detected or tracked or redirected from the network
real resources. Unlike other DMZs, actuallywantThis network is compromised.

The computers in the honeynet are often virtual machines
all installed on a single physical computer and intrusion detection
Systems and other surveillance systems are implemented to collect information
about the techniques, tactics and identities of hackers.

Host security in the DMZ

Because the DMZ is a less secure network than the internal network
network, host security is even more important for computers that are "off".
there". Servers in your DMZ should be opened as much as possible
(while maintaining their accessibility for those who need to access them). East
medium:

• All unnecessary services must be disabled.
• The necessary services will be provided with the minimum
  possible privileges.
• Strong passwords or passphrases must be used.
• Unnecessary user accounts should be deleted or
  Disabled and default accounts must be obfuscated by changing the name, changing the
  description etc
• Systems must have the latest security updates.
  and patches applied.
• Security logging must be enabled (and you
  should check the logs often!)

The definition of “DMZ” is getting broader
There are other uses for these "semi-trusted" networks. from today
Networks are complex, and security professionals are beginning to realize that
is the concept of "edge" or "perimeter" of the network
outdated; A corporate network has multiple perimeters. This is how DMZs can be
suitable in places other than the edge of the Internet and large
Networks can benefit from having multiple DMZs.