Definition:
In computer networking, DMZ is a firewall configuration for securing local area networks (LANs).
In a DMZ configuration, most computers on the LAN run behind a firewall
connected to a public network like the Internet. One or more computers
also run outside the firewall, in the DMZ. Those computers on the
outside intercept traffic and broker requests for the rest of the LAN,
adding an extra layer of protection for computers behind the firewall.
Traditional DMZs allow computers behind the firewall to initiate requests outbound to the DMZ. Computers in the DMZ in turn respond, forward or re-issue requests out to the Internet or other public network, as proxy servers do. (Many DMZ implementations, in fact, simply utilize a proxy server or servers as the computers within the DMZ.) The LAN firewall, though, prevents computers in the DMZ from initiating inbound requests.
DMZ is a commonly-touted feature of home broadband routers. However, in most instances these features are not true DMZs. Broadband routers often implement a DMZ simply through additional firewall rules, meaning that incoming requests reach the firewall directly. In a true DMZ, incoming requests must first pass through a DMZ computer before reaching the firewall.
OR
In computer networks, a DMZ (demilitarized zone) is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. (The term comes from the geographic buffer zone that was set up between North Korea and South Korea following the UN "police action" in the early 1950s.) A DMZ is an optional and more secure approach to a firewall and effectively acts as a proxy server as well.
In a typical DMZ configuration for a small company, a separate computer (or host in network terms) receives requests from users within the private network for access to Web sites or other companies accessible on the public network. The DMZ host then initiates sessions for these requests on the public network. However, the DMZ host is not able to initiate a session back into the private network. It can only forward packets that have already been requested.
Users of the public network outside the company can access only the DMZ host. The DMZ may typically also have the company's Web pages so these could be served to the outside world. However, the DMZ provides access to no other company data. In the event that an outside user penetrated the DMZ host's security, the Web pages might be corrupted but no other company information would be exposed. Cisco, the leading maker of router s, is one company that sells products designed for setting up a DMZ.
OR
The term DMZ Stands for "demilitarized zone," and in the computer world, it refers to a buffer zone that separates the Internet and your private LAN. (Note: Microsoft calls this a "Screened Subnet"). It's considered a separate network that is more trusted than the Internet but less trusted than the internal LAN. Many SOHO router vendors have taken to using the term "DMZ." In fact, those products are simply bypassing their filters and NAT protection when they set up a "DMZ" and forwarding all traffic to a "default host." This should not be confused with a true DMZ.
One way to create a DMZ is with a machine that has three NICs in it -- one for the WAN connection, one for the DMZ network and one for the internal network. This is one method of creating a DMZ, but it is not the preferred method. This configuration allows the security of all three networks to lie in one system. If your machine containing all three NICs is compromised, so is your DMZ and your private network. Basically, you are allowing the Internet to "touch" the very same machine that determines how secure your internal LAN is, and this is not a good thing.
A better way to do this is with three separate networks. The way this is accomplished is with two "firewall" devices -- one on the border of your WAN and one on the border of your internal network. Let us say that you have a broadband router/switch and a Checkpoint firewall. You would put your router/switch on your border (right behind your modem). That becomes your DMZ switch. You use one of the ports to connect your bastion host/public server. This is the machine that is running the service that you want people to be able to connect to from the outside. This may be a website, an FTP server or a multi-player game. You want this machine to be hardened to some degree, meaning that it is all the way patched and is not running anything that is vulnerable (although the border device affords it some protection via NAT). As a general rule, though, you want anything put in the DMZ to be resistant to attacks from the Internet since public access is the reason that you are putting it out there in the first place.
Now, to that same switch, you are going to attach another network cable that goes to your Checkpoint firewall. Your firewall (this is going to be the better of the two firewalls that you have, so if you have a Checkpoint and a Netgear, you should use the Netgear on the border and the Checkpoint box on this one) is going to have two NICs in it -- one for the DMZ side and one for the private LAN side. Connect the cable to the DMZ side of the internal firewall, and on the other side of the firewall (the private LAN side), you connect a cable to another hub/switch that all of your LAN computers will connect to.
If that was confusing, think of it this way:
------------
Internet to Modem
Modem to Router
Router to DMZ Hub/Switch
DMZ Switch to WEB/FTP/Game Server
...and...
DMZ Switch to Firewall External NIC
Firewall Internal NIC to Internal Hub/Switch
Internal Hub/Switch to Internal Systems
------------
What this does is allow you to completely segment your network in terms of trust. You can initiate connections to the DMZ and to the Internet, but neither of those two networks can initiate connections to you. Essentially, you are saying that you don't trust those two networks, and they are considered completely separate from your internal LAN. This way, if your Host in DMZ is compromised, the intruder will not be able to compromise the other computers in your LAN.
The power is further extended by the fact that you can use NAT on your border device to pass only the ports needed into your DMZ. So, if you are only running a web server, then you only pass TCP 80 to your DMZ machine running that daemon; all other connection requests are refused at the border router/firewall.
Traditional DMZs allow computers behind the firewall to initiate requests outbound to the DMZ. Computers in the DMZ in turn respond, forward or re-issue requests out to the Internet or other public network, as proxy servers do. (Many DMZ implementations, in fact, simply utilize a proxy server or servers as the computers within the DMZ.) The LAN firewall, though, prevents computers in the DMZ from initiating inbound requests.
DMZ is a commonly-touted feature of home broadband routers. However, in most instances these features are not true DMZs. Broadband routers often implement a DMZ simply through additional firewall rules, meaning that incoming requests reach the firewall directly. In a true DMZ, incoming requests must first pass through a DMZ computer before reaching the firewall.
OR
In computer networks, a DMZ (demilitarized zone) is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. It prevents outside users from getting direct access to a server that has company data. (The term comes from the geographic buffer zone that was set up between North Korea and South Korea following the UN "police action" in the early 1950s.) A DMZ is an optional and more secure approach to a firewall and effectively acts as a proxy server as well.
In a typical DMZ configuration for a small company, a separate computer (or host in network terms) receives requests from users within the private network for access to Web sites or other companies accessible on the public network. The DMZ host then initiates sessions for these requests on the public network. However, the DMZ host is not able to initiate a session back into the private network. It can only forward packets that have already been requested.
Users of the public network outside the company can access only the DMZ host. The DMZ may typically also have the company's Web pages so these could be served to the outside world. However, the DMZ provides access to no other company data. In the event that an outside user penetrated the DMZ host's security, the Web pages might be corrupted but no other company information would be exposed. Cisco, the leading maker of router s, is one company that sells products designed for setting up a DMZ.
OR
The term DMZ Stands for "demilitarized zone," and in the computer world, it refers to a buffer zone that separates the Internet and your private LAN. (Note: Microsoft calls this a "Screened Subnet"). It's considered a separate network that is more trusted than the Internet but less trusted than the internal LAN. Many SOHO router vendors have taken to using the term "DMZ." In fact, those products are simply bypassing their filters and NAT protection when they set up a "DMZ" and forwarding all traffic to a "default host." This should not be confused with a true DMZ.
One way to create a DMZ is with a machine that has three NICs in it -- one for the WAN connection, one for the DMZ network and one for the internal network. This is one method of creating a DMZ, but it is not the preferred method. This configuration allows the security of all three networks to lie in one system. If your machine containing all three NICs is compromised, so is your DMZ and your private network. Basically, you are allowing the Internet to "touch" the very same machine that determines how secure your internal LAN is, and this is not a good thing.
A better way to do this is with three separate networks. The way this is accomplished is with two "firewall" devices -- one on the border of your WAN and one on the border of your internal network. Let us say that you have a broadband router/switch and a Checkpoint firewall. You would put your router/switch on your border (right behind your modem). That becomes your DMZ switch. You use one of the ports to connect your bastion host/public server. This is the machine that is running the service that you want people to be able to connect to from the outside. This may be a website, an FTP server or a multi-player game. You want this machine to be hardened to some degree, meaning that it is all the way patched and is not running anything that is vulnerable (although the border device affords it some protection via NAT). As a general rule, though, you want anything put in the DMZ to be resistant to attacks from the Internet since public access is the reason that you are putting it out there in the first place.
Now, to that same switch, you are going to attach another network cable that goes to your Checkpoint firewall. Your firewall (this is going to be the better of the two firewalls that you have, so if you have a Checkpoint and a Netgear, you should use the Netgear on the border and the Checkpoint box on this one) is going to have two NICs in it -- one for the DMZ side and one for the private LAN side. Connect the cable to the DMZ side of the internal firewall, and on the other side of the firewall (the private LAN side), you connect a cable to another hub/switch that all of your LAN computers will connect to.
If that was confusing, think of it this way:
------------
Internet to Modem
Modem to Router
Router to DMZ Hub/Switch
DMZ Switch to WEB/FTP/Game Server
...and...
DMZ Switch to Firewall External NIC
Firewall Internal NIC to Internal Hub/Switch
Internal Hub/Switch to Internal Systems
------------
What this does is allow you to completely segment your network in terms of trust. You can initiate connections to the DMZ and to the Internet, but neither of those two networks can initiate connections to you. Essentially, you are saying that you don't trust those two networks, and they are considered completely separate from your internal LAN. This way, if your Host in DMZ is compromised, the intruder will not be able to compromise the other computers in your LAN.
The power is further extended by the fact that you can use NAT on your border device to pass only the ports needed into your DMZ. So, if you are only running a web server, then you only pass TCP 80 to your DMZ machine running that daemon; all other connection requests are refused at the border router/firewall.
No comments:
Post a Comment