In computer networks, a DMZ (demilitarized zone) is a physical or logical sub-network that separates an internal local area network (LAN) from other untrusted networks, usually the Internet. External-facing servers, resources and services are located in the DMZ so they are accessible from the Internet but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the Internet.
Firewall creates Segmentation in Network based on Security requirements. It divides the network into Private (Internal Trusted) Network and Public (External Untrusted) Network.
Further if Internal network wants to host a server or resource, Firewall helps them in hosting it by creating Demilitarized Zone.
DMZ can be used for hosting any server and services of dns, web, https, ftp can be provided by it.
 |
DMZ (Demilitarized Zone) |
There are ways to design DMZ -single or Dual DMZ Firewalls.
A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface.
The second approach of using two Firewall to create DMZ is most secure approach. Here the first firewall also called the perimeter firewall is configured to allow traffic destined to the DMZ only. The second or internal firewall only allows traffic from the DMZ to the internal network. This is considered more secure since two devices would need to be compromised before an attacker could access the internal LAN. As a DMZ segments a network, security controls can be tuned specifically for each segment. For example a network intrusion detection and prevention system located in a DMZ that only contains as Web server can block all traffic except HTTP and HTTPS requests on ports 80 and 443.
No comments:
Post a Comment