Types of DMZ Architecture
DMZ
A Demilitarized Zone (DMZ) is a
network segment that is separated from other networks. Many organizations use
them to separate their Local Area Networks (LAN) from the Internet. This puts
additional security between their corporate network and the public Internet. It
can also be used to separate one particular machine from the rest of a network,
moving it outside of the protection of a firewall.
Principle
In a computer network, the hosts
most vulnerable to attack are those that provide services to users outside of
the local area network, such as e-mail, web and Domain Name System (DNS)
servers. Because of the increased potential of these hosts being compromised,
they are placed into their own sub-network in order to protect the rest of the
network if an intruder were to succeed in attacking any of them.
Hosts in the DMZ have limited
connectivity to specific hosts in the internal network, although communication
with other hosts in the DMZ and to the external network is allowed. This allows
hosts in the DMZ to provide services to both the internal and external network,
while an intervening firewall controls the traffic between the DMZ servers and
the internal network clients.
Types of Architectures
Two of the most basic methods are
with a single firewall, also known as the three legged model, and with dual
firewalls.
Single firewall
A single firewall with at least 3
network interfaces can be used to create a network architecture containing a
DMZ. The external network is formed from the ISP to the firewall on the first
network interface, the internal network is formed from the second network
interface, and the DMZ is formed from the third network interface. The firewall
becomes a single point of failure for the network and must be able to handle
all of the traffic going to the DMZ as well as the internal network.
Dual firewall
A more secure approach is to use
two firewalls to create a DMZ. The first firewall also called the
"front-end" firewall must be configured to allow traffic destined to
the DMZ only. The second firewall also called "back-end" firewall
allows only traffic from the DMZ to the internal network. This setup is
considered more secure since two devices would need to be compromised. This
architecture is, of course, more costly. The practice of using different
firewalls from different vendors is sometimes described as a component of a
"defense in depth" security strategy.
No comments:
Post a Comment