Demilitarized Zone (DMZ)
The DMZ can be two or more areas inside the network
perimeter, but not on the inside of the firewall device.
The first type of DMZ, often called the dirty DMZ or dirty net, is the LAN segment between the perimeter router
and the firewall. This area has only the protection of the perimeter router and
the individual security features of any devices placed there. The second type of
DMZ is made up of one or more additional LAN interfaces on the firewall. These
areas are often called protected DMZs because they have
the additional protection offered by the firewall device.
Not uncommonly, some firewall devices offer six or more
interfaces, allowing for multiple protected DMZs with different security
requirements. Special thought would have to be given to whether any performance
benefits from the dirty DMZ only being “filtered” once is offset by the
increased risk to whatever is placed out there.
DMZs contain shared server resources, such as web, DNS, and e-mail
servers. These servers are available to the outside world. These shared servers
are often called bastion hosts, bastion servers, or even sacrificial hosts. Bastion hosts must be hardened, and they receive the highest
priority security maintenance because of their vulnerability to the outside
world and increased likelihood of attacks. A bastion
server typically runs only those specific services being shared, and all
other services will be stopped or turned off.
The dirty DMZ is bordered by the outside
interface of the firewall device and the internal interface of the perimeter
router. The firewall must be configured to allow loose, but regulated, access to
the protected DMZ from the outside network, while at the same time protecting
the inside network. Inside network users need access to the server resources in
the DMZ and are typically allowed limited access, possibly restricting access to
only those sessions originating within the inside network.
Sections
Comments (0 posted)
Syndication
