Demilitarized Zone (DMZ) Port

Source: Wikipedia: DMZ

DMZ (computing)

From Wikipedia, the free encyclopedia
Jump to: navigation, search
Text document with red question mark.svg
This article includes a list of references, related reading or external links, but its sources remain unclear because it lacks inline citations. Please improve this article by introducing more precise citations where appropriate. (April 2010)

In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. The term is normally referred to as a DMZ by IT professionals. It is sometimes referred to as a Perimeter Network. The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

* 1 Rationale
* 2 Services that belong in the DMZ
o 2.1 Web servers
o 2.2 E-mail servers
o 2.3 Proxy servers
o 2.4 Reverse proxy servers
* 3 Architecture
o 3.1 Single firewall
o 3.2 Dual firewalls
* 4 DMZ host
* 5 See also
* 6 References

[edit] Rationale

In a network, the hosts most vulnerable to attack are those that provide services to users outside of the local area network, such as e-mail, web and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network in order to protect the rest of the network if an intruder was to succeed. Hosts in the DMZ have limited connectivity to specific hosts in the internal network, though communication with other hosts in the DMZ and to the external network is allowed. This allows hosts in the DMZ to provide services to both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients.
[edit] Services that belong in the DMZ

Generally, any service that is being provided to users from an external network could be placed in the DMZ. The most common of these services are web servers, mail servers, FTP servers, VoIP servers and DNS servers. In some situations, additional steps need to be taken to be able to provide secure services.
[edit] Web servers

Web servers may need to communicate with an internal database to provide some specialized services. Since the database server is not publicly accessible and may contain sensitive information, it should not be in the DMZ. Generally, it is not a good idea to allow the web server to communicate directly with the internal database server. Instead, an application firewall can be used to act as a medium for communication between the web server and the database server. This may be more complicated, but provides another layer of security.
[edit] E-mail servers

Because of the confidential nature of e-mail, storing it in the DMZ is a poor idea, and it is also a poor idea to store the user database there. Instead, e-mail should be stored on an internal e-mail server placed in a hidden area inside the DMZ (an area that cannot be accessed from the internet, but can be accessed from the e-mail server). Some people place the internal e-mail server in a LAN area, which is not good practice, because it does not allow for the best performance. Also it can be a security problem, because although this configuration provides security from external attacks, it does not protect from internal attacks (for example communication could be sniffed or spoofed).

The mail server inside the DMZ should pass incoming mail to the secured/internal mail servers and this mail server should pass outgoing mail to the external mail servers.
[edit] Proxy servers

For security, legal compliance and also monitoring reasons, in a business environment, it is also recommended to install a proxy server within the DMZ. This has the following benefits:

* Obliges the internal users (usually employees) to use this particular proxy to get internet access. The users should not be allowed to browse internet directly and bypass the DMZ defenses.
* Allows the company to save on internet bandwidth because some of the web content may be cached by the proxy server.
* Allows the system administrator to record and monitor user activities and make sure no illegal content is downloaded or uploaded by the employees. In many EU countries for example, a company director is liable for employees' internet activities.[citation needed]

[edit] Reverse proxy servers

A reverse proxy server provides the same service as a proxy server, but the other way around. Instead of providing a service to internal users, it provides indirect access to internal resources from external network (usually the Internet). A back office application access, such as an email system, can be provided to external users (to read emails while outside the company) but the remote user does not have direct access to his email server. Only the reverse proxy server can physically access the internal email server. This is an extra layer of security, which is particularly recommended when internal resource needs to be accessed from the outside. Usually such reverse proxy mechanism is provided by using an application layer firewall as they focus on the specific shape of the traffic rather than controlling access to specific TCP and UDP ports as a packet filter firewall does.
[edit] Architecture

There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single firewall, also known as the three legged model, and with dual firewalls. These architectures can be expanded to create very complex architectures depending on the network requirements.
[edit] Single firewall

A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network. The zones are usually marked with colors -for example, purple for LAN, green for DMZ, red for Internet (with often another color used for wireless zones).

Diagram of a typical network employing DMZ using a three-legged firewall
[edit] Dual firewalls

A more secure approach is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" firewall) allows only traffic from the DMZ to the internal network. The first firewall handles a much larger amount of traffic than the second firewall.

Some recommend that the two firewalls be provided by two different vendors. If an attacker manages to break through the first firewall, it will take more time to break through the second one if it is made by a different vendor. (This architecture is, of course, more costly.) The practice of using different firewalls from different vendors is sometimes described as either "defense in depth" or (from an opposing viewpoint) "security through obscurity".

Diagram of a typical network employing DMZ using dual firewalls
[edit] DMZ host

Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all ports exposed, except those ports otherwise forwarded. By definition this is not a true DMZ (Demilitarized Zone), since it alone does not separate the host from the internal network. That is, the DMZ host is able to connect to hosts on the internal network, whereas hosts within a real DMZ are prevented from connecting with the internal network by a firewall that separates them, unless the firewall permits the connection. A firewall may allow this if a host on the internal network first requests a connection to the host within the DMZ. The DMZ host provides none of the security advantages that a subnet provides and is often used as an easy method of forwarding all ports to another firewall / NAT device.
[edit] See also

* Bastion host

[edit] References

* BSIDEIAS Bachelor of Information Systems.
* SolutionBase: Strengthen network defenses by using a DMZ by Deb Shinder at TechRepublic.
* Eric Maiwald. Network Security: A Beginner's Guide. Second Edition. McGraw-Hill/Osborne, 2003.
* Internet Firewalls: Frequently Asked Questions, compiled by Matt Curtin, Marcus Ranum and Paul Robertson

Retrieved from ""
Categories: Computer network security
Hidden categories: Articles lacking in-text citations from April 2010 | All articles lacking in-text citations | All articles with unsourced statements | Articles with unsourced statements from December 2008
Personal tools

* New features
* Log in / create account


* Article
* Discussion



* Read
* Edit
* View history



* Main page
* Contents
* Featured content
* Current events
* Random article


* About Wikipedia
* Community portal
* Recent changes
* Contact Wikipedia
* Donate to Wikipedia
* Help


* What links here
* Related changes
* Upload file
* Special pages
* Permanent link
* Cite this page


* Create a book
* Download as PDF
* Printable version


* Deutsch
* Eesti
* Español
* Français
* 한국어
* Italiano
* Nederlands
* 日本語
* Polski
* Português
* Русский
* Suomi
* Svenska
* Türkçe

* This page was last modified on 6 July 2010 at 20:01.
* Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. See Terms of Use for details.
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.
* Contact us

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License