In Korea there is a four kilometer wide strip of land that divides north from South called the Demilitarized Zone or DMZ this strip of land is a security measure between the two nations after the Korean War the DMZ was created as a physical buffer to prevent or at least limit the effectiveness of an attack from other side, and from this real-life example we get the network security concept of a DMZ a model where traffic must pass through a secure perimeter before it’s allowed to reach our return.
when we’re thinking about network security we can roughly classify our networks in two ways in secure networks that we need to access and protected networks that we need to defend our protected networks contain our resources which may include workstations servers databases and anything else that should be kept secure the insecure network is any area that we don‘t have security control over however we still need to access its resources or something in that network may need to access ours a prime example of this is the internet, but we also think of a network made by a business partner such as a supplier or a customer we don‘t manage the security of these networks, so we should not assume that they are secure.
DMZ to the Rescue
let’s imagine that we have a website that some people on the internet need access to this is made up of a web server and a database which contains sensitive information clearly our primary goal here is to protect this sensitive data, so one thing that we will do is add a firewall between the internet and our protect network we will usually want to complement the firewall with an IPS but for this article we won’t get into that sort of detail can you see the risk with this topology, when we expose the web server to the Internet like this there is really only one layer of network security between a potential attacker and our sensitive information now imagine that an attacker has found a way past our firewall maybe they’re clever, and they’ve exploited a bug maybe the firewall has failed for some reason or maybe we’ve made a mistake when we configured it right away this attacker has access to our sensitive data what can we do about this well we’ve talked about the defense-in-depth principle before in short this principle states that security should be layered so if one layer fails or is ineffective another layer can mount a defense a DMZ also known as a perimeter network is a shining example of this the DMZ itself is a network between the insecure area, and the protected area we will put services that are allowed to be accessed from the internet inside the DMZ we will definitely keep our sensitive data out of the DMZ even authentication details will be different to those in the protected network think of our example from before we have a website that people need to access from the internet we can put a reverse proxy server in the DMZ clients on the internet will access the reverse proxy server which does not have any sensitive data the reverse proxy server will then open a new connection to the web server in the protected network and retrieve the required web pages on behalf of the client can you see the extra layer of security we’ve added here any device we expose to the Internet will take the brunt of the most attacks and therefore assumes the most risk even if an attacker gets lucky and is able to compromise the DMZ they haven’t yet reached our sensitive data, so compromising one part of the system has not compromised the entire system and of course that’s just one example another is with email perhaps you’re running Microsoft’s Exchange server you can put edge transport server in the DMZ while keeping your hub transport and mailbox roles safe.
Building a DMZ
now let’s consider how we can build a DMZ start by defining what needs to be protect this will generally be a straightforward question as these days we need to protect just about everything next find entry points to the network the obvious one is where devices connect to the internet, so we’re thinking about access to your web servers we’re thinking about where emails come in, and that sort of thing don‘t ignore any partner networks customer networks or Eve and wearing connections that your organization may not have controlled over think about VPNs do you have control over where your staff connect from now that you have got all this information decides if it’s okay to have a single DMZ area or if you need more than one if the Internet is your only entry point then one’s going to be fine if you have access to a partner or customer network you may be offering their different services than you offer to the Internet in this case two perimeter networks may be ideal there are two approaches to building your DMZ the first is to use dual homed servers this is where your server either physical or virtual has two network interfaces each interface is connected to two different networks one to the insecure network, and one to the protected network this provides a high level of separation, but it still has some downsides it’s hard to scale if you have many devices you still only have protection from one firewall in IPs and not all appliances have two network cards in addition each of these servers need special routing configuration to support the two, interfaces the other option is to have an entirely separate network for the DMZ there is a firewall on each side so all traffic gets thoroughly checked for attacks I prefer this method personally as it scales very well it’s suitable for all servers and appliances, and it’s a great place for VPNs and partner networks to connect however, in some ways it is a little more complicated, there’re additional firewalls to configure and you need to consider routing the simplest routing option is to use layer 3 firewalls of course you could also use dedicated routers along with layer 2 firewalls if you wanted to when you don‘t think these aspects through its easy to build your dams at Paulie one mistake that’s easy to make is to simply create a new VLAN on a router and put some servers in there now this will add some extra security because you’re still using a reverse proxy or something like that but there’s still no other security between the DMZ and the protected network traffic is simply routed between the two if an attacker were to come from my servers in the DMZ, they would have full network access to the protected areas as well another easy mistake to make is to put a domain controller in the DMZ perhaps for logon purposes which extends Active Directory outside the protected area personally I recommend against this there’s a lot of information in Active Directory and you need to protect that as well one alternative if you need Active Directory in the DMZ is to create a new domain for this area and then if you need them joined you could consider a forest trust or something like that or perhaps if this is just for authenticating to devices in the DMZ consider a different technology maybe Radiesse tacacs or LDAP.
now let’s think about how we can deploy our firewalls for a simple DMZ network to protect our resources from the internet keep in mind that I say firewalls, but often they’re paired with an IPS there are two basic ways we could do this and each have their upsides, and downsides the first option is to have two separate firewalls with the DMZ networks sandwiched between them one firewall protects the DMZ from the Internet the other protects the secure network from the DMZ each firewall has two interfaces for this purpose, when traffic comes in from the internet it is checked at the first firewall then it arrives at the server in the DMZ and the DMZ server passes the packet on it’s now checked at the second firewall before it’s allowed to access the secure Network the other alternative is to use a single firewall that has a connection into each of these three areas it will use different rules, depending on which two, areas the traffic has been flowing between when traffic comes in from the internet it will need to pass through the firewall, and then be forwarded to the dams at area when traffic is sent from the DMZ it will pass through the same firewall and be forwarded to the protected network, so which of these two options is better there are pros and cons to each using two firewalls is generally considered be more secure when there are two separate firewalls there are extra layers that an attacker may need to compromise before gaining access to the network however deploying two firewalls is more expensive as is more devices to buy license and maintain this is both a financial cost and a time-based cost using a single firewall may also be a bottleneck for traffic with all traffic going through a single firewall maybe twice you need to make sure that the single device can handle it is two firewalls on the other hand would split the volume of traffic across two different devices. However, the most secure option is to use two firewalls from two different vendors if there’s a security flaw in one of the firewalls chances are that the same floor will not exist in the other firewall this is yet another example of defense-in-depth changing how our layers work so one can be a backup for the other keep in mind though that this does make your job harder in addition to the higher cost you need to know both firewalls well a badly configured firewall may be the same as no firewall at all the way you choose to implement your DMZ is up to you and your team but if you’re exposing your services to the internet or other network where you don‘t have security control than the DMZ is a must-have.