Demilitarized zone or DMZ as it is abbreviated is a firewall configuration for securing internal network of an organization.In any business environment a need arises to permit external access to some part of organization’s network, for example to enable external e-mail to be received and to provide public access to a web site. This introduces the concept of the “demilitarized zone”.
The DMZ is a “semi-protected” zone. The DMZ provides a network segment that is externally accessible and which contains services or files that are publicly available. The remainder of the network is placed on a separate network segment and connected to the firewall separately from the DMZ.
The working of the DMZ can be explained through the following examples:
Consider Situation 1 with no DMZ
• All the internal servers are located on the same network segment behind a firewall.
• A flaw in any of the internal server software say email server software can be exploited by the hacker to gain access to all other resources located in the same segment.
Consider Situation 2 with DMZ in place
• Here let’s assume that the email proxy server is located in the DMZ. The first firewall may be configured to allow inbound email to access the proxy server which in turn relays the same to the email server located behind the second firewall.
• Since the email proxy server is not on the same network segment as that of the email server, a flaw in the email proxy server software successfully exploited by the hacker cannot be used by the hacker to attack the email server which is protected by the second firewall.
In simple terms, the idea is that it is better to have a machine hacked on a DMZ than to have a machine hacked on the internal network.
It is worthy note the following points:
• A DMZ should not be connected to the internal network directly; it should be routed through a firewall.
• It should not contain internal network information such as user IDs or passwords.
• It should not contain important resources. Files placed in a DMZ should be on read-only mode.
• The DMZ should be well secured to prevent the hacker from using its resources to attack another organisation’s network.
• The firewalls should enforce rules to protect the DMZ from the internet and rules to protect the internal network from the DMZ.
Depending on the level of protection required, multiple DMZs may be deployed.