Tuesday, September 25, 2012


Types of DMZ Architecture


DMZ


A Demilitarized Zone (DMZ) is a network segment that is separated from other networks. Many organizations use them to separate their Local Area Networks (LAN) from the Internet. This puts additional security between their corporate network and the public Internet. It can also be used to separate one particular machine from the rest of a network, moving it outside of the protection of a firewall.


Principle


In a computer network, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as e-mail, web and Domain Name System (DNS) servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network in order to protect the rest of the network if an intruder were to succeed in attacking any of them.

Hosts in the DMZ have limited connectivity to specific hosts in the internal network, although communication with other hosts in the DMZ and to the external network is allowed. This allows hosts in the DMZ to provide services to both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients.


Types of Architectures


Two of the most basic methods are with a single firewall, also known as the three legged model, and with dual firewalls.


Single firewall


A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network.


Dual firewall


A more secure approach is to use two firewalls to create a DMZ. The first firewall also called the "front-end" firewall must be configured to allow traffic destined to the DMZ only. The second firewall also called "back-end" firewall allows only traffic from the DMZ to the internal network. This setup is considered more secure since two devices would need to be compromised. This architecture is, of course, more costly. The practice of using different firewalls from different vendors is sometimes described as a component of a "defense in depth" security strategy.



Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)