Blog / The Network Demilitarized Zone: Increasing Security by Design
When neighbouring countries are having strained relations, they often set-up something called a Demilitarized Zone (DMZ) between them. It’s an area where neither side is authorized to deploy their military or claim control. It’s a no-mans land that acts as a buffer between the countries, that isn’t part of either territory. The idea is to increase your Security and reduce tension; otherwise you could have military bases set-up right next to each other, and that’s a recipe for bad things to happen.
The reason I’m bringing this up is that there’s a similar concept that can be used when setting up your network, to improve your Security. It’s a straightforward idea, because when you think about it, “Any machine that is directly exposed to the Internet, is a higher Security Risk than ones that aren’t.” So, machines that host connections from the Internet should be put into an area of your network called “DMZ.”
What is a DMZ, for a computer network?
Much like a DMZ in the real world, it’s an area of heightened Security, with additional protection deployed at the border.
The Internet is a lawless wasteland; we all know this. Every company knows they need to put a firewall between themselves and the Internet, for their own protection. Most companies use a firewall that includes the ability to scan traffic for threats (AV, IPS, etc.)
Often what I see in computers’ networks is a setup where traffic comes in through the firewall, passes through a switch and hits the server. This is fine, until you consider that the machine could get compromised by an Internet attacker. Once the machine is hacked, it has full access to attempt making connections to any machine on your network, and there’s no sort of traffic inspection or restrictions.
From a network design standpoint, setting up a DMZ just means you need to alter how traffic flows in your network. For those machines that host services that are open to the Internet, you need to make sure that there’s a firewall between them and the Internet, as well as between them and your internal network. This doesn’t mean getting a second firewall, it just means that traffic to your internal network goes through one interface and traffic to the DMZ goes through another. This allows you to set-up firewall rules to enable inspection and restrict traffic from your normal network and the DMZ.
As an example, let’s assume you’re setting up a DMZ for a small company or municipality. They’ve employed proper server configurations, so all their servers have a single purpose, which contain:
- One Domain Controller
- One File Server
- One Mail server (running Exchange)
The only machine you can access directly from the Internet is the Exchange Server. It can send and receive email, and users can utilize home browsers to connect to their mailbox via Outlook Web Access (OWA.) No other machines can be accessed from the Internet.
With a setup that small it’s very likely (and I see this a lot) that the design of their network means traffic from the inside goes to a switch, which is connected to the firewall, and then goes to the Internet. If that mail server is compromised, there’s nothing preventing the attacker from going after any other machine in the network using any method of communication they want.
Setting up a DMZ for that network would be as simple as connecting the mail server to a separate port on the firewall and maybe changing a few IP address references in its users’ email software.
A setup with a DMZ lets the Network Administrator set-up firewall policies on the traffic going from internal machines to the exchange server, and vice-versa. It also permits them to enable inspection on this traffic, for an added layer of protection. Finally, it allows the communications to be limited, so that machines no longer have free and unrestricted access to everything else in your network. Everyone inside the network needs a connection to the exchange server, to check their email, but what machines does Exchange need, so as to be able to connect to, and why?
That’s the idea behind setting up a DMZ. Basically, you acknowledge that machines hosting services exposed to the Internet are a bigger risk, by their nature. So, the traffic flow gets set-up, to take that possibility into account. Assuming the machine is compromised, limiting access means that the attacker is also limited in what they can go after. This will decrease your possible attack surface, making it harder for an attacker to leverage their access.
Proper setup and design of your network traffic flow will increase your Security, without the need to install additional software. It won’t even increase the cost of your equipment by much. In some cases, it won’t increase costs at all.
If you have any questions about setting up a DMZ in your corporate network, you can always reach out to your TRINUS Account Manager for some stress-free IT.
Your Friendly Neighbourhood Cyberman.