Re: What is DMZ?

From: Eirik Seim (eirik_at_mi.uib.no)
Date: 10/05/03

• Next message: Scott: "Linksys BEFSR41 - Control via cron job scripts ?"
• Previous message: rf_at_nospam.com: "Firewall setup any good or full of holes?"
• In reply to: SA: "Re: What is DMZ?"
• Next in thread: Lars M. Hansen: "Re: What is DMZ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 5 Oct 2003 21:30:15 GMT

On Sun, 5 Oct 2003 15:12:33 -0500, SA wrote:
> <inquisitiveman2002@yahoo.com> wrote in message
> news:1d06a7b3.0310051130.46860bb0@posting.google.com...
> > What is it and how do you set it up in general? I just need to
> > understand the concepts and then go from there. Thanks
>
> The DMZ is also called bastion hosts.

No. But the _hosts_ in the DMZ should be more or less "bastion" hosts.
The rest of this reply is ment for the OP.

DMZ (Demilitarized Zone) [1] is in computer security terms a network
that is neither part of the untrusted network (typically the Internet)
nor the internal network, but somewhere in between. It is where your
company put their web servers, mail relays, proxy servers, and similar.

There are basically two (three, but you don't want the third) models:

           ( the Internet )
                  |
                  |
             [firewall]---( DMZ )
                  |
                  |
       ( the internal network )

With this style, the DMZ is actually a third "leg" on the firewall,
enabling the firewall to filter traffic between the Internet and the
internal network, between the Internet and the DMZ, and between the
internal network and the DMZ.

Second:

           ( the Internet )
                  |
                  |
      [firewall/screening router]
                  |
                  |
               ( DMZ )
                  |
                  |
             [firewall]
                  |
                  |
       ( the internal network )

Here, using two firewalls you add another layer of security. An
attacker has to break two firewalls to reach the internal network,
and even breaking a host in the DMZ will still leave one firewall
between the internal network and the compromised host. By enforcing
strict rules on where traffic can flow, both of the above, or even
combinations, can be "secure". And that brings us to the point of
even having a DMZ: It's where you place the services you need to
provide to the untrusted network(s) to minimize the risk of having
them compromised. Because they will be compromised. Computers are
insecure, and the network services they run will be broken into.

The last DMZ architecture is the typical home networking one, where
you got a cheap NAT router and forward some ports to a host on the
internal network:

           ( the Internet )
                  |
                  |
          [cheap NAT router]
                  |
                  |
       ( the internal network )

Where Host A recieve all connections to say port 80/tcp (http) made
to the external address of the NAT router. This is dangerous because
it exposes a service directly located on your internal network, and
thus when someone breaks into it (and they will), they will have
unrestricted access to your entire internal network, and quite possibly
(if you enable all outgoing connections from the internal network,
not an uncommon scenario. Stupid, stupid, stupid, but not uncommon)
unrestricted access back to the Internet (sending spam, attacking
other networks, etc). If you've got one of these cheap NAT routers
and want to do this, I'd recommend another firewall/NAT router and
going for the second design, not the third.

There are of course variations of all of the above, scenarios with
multiple DMZs, several layers of firewalls and other things, but I
hope the above will help you understanding what a DMZ is and does.

For more, see the Firewalls FAQ[2] or read a good book[3,4,5] on
the subject of firewalls.

- Eirik

1. http://www.globalsecurity.org/military/ops/dmz.htm
2. http://www.interhack.net/pubs/fwfaq/ , notably section 3.8
3. Building Internet Firewalls, 2. ed. ISBN: 1565928717
4. Firewall Architecture for the Enterprise, ISBN: 076454926X
5. Firewalls and Internet Security, 2. ed. ISBN: 020163466X

-- 
New and exciting signature!

---

• Next message: Scott: "Linksys BEFSR41 - Control via cron job scripts ?"
• Previous message: rf_at_nospam.com: "Firewall setup any good or full of holes?"
• In reply to: SA: "Re: What is DMZ?"
• Next in thread: Lars M. Hansen: "Re: What is DMZ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: VPN question ... You have such an odd design and I have ... Not all firewalls run NAT, and firewalls inside the> internal network is necessary to separate traffic in different security> zones and inspect traffic between zones. ... >> You have to run one Tunnel inside the other Tunnel to even get across> a B2B ... (microsoft.public.windows.server.networking) Re: Host placement and DMZ internal/external questions. ... a screened subnet (DMZ). ... > internal network does that sit on your DMZ? ... > modify firewall rules so that the host has the access they need to ... (Security-Basics) Server Placement ... >- Exchange Server for corporate use (DMZ, External, ... Host it on the internal Network with a ... required to data on a SQL Server, ... (microsoft.public.isa) Server Placement ... >- Exchange Server for corporate use (DMZ, External, ... Host it on the internal Network with a ... required to data on a SQL Server, ... (microsoft.public.isa) Re: VPN question ... By tunneling traffic inside the internal network you do not have to open ... Not all firewalls run NAT, ... > You have to run one Tunnel inside the other Tunnel to even get across ... >> I do know that security in the LAN is one thing, ... (microsoft.public.windows.server.networking)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2003-10