Information Technology Reference
In-Depth Information
Demilitarized Zone
A
demilitarized zone (DMZ)
, or a
perimeter network
, can be a physical or logical sub-
network that contains and exposes an organization's external services to a larger and
untrusted network, usually the Internet.
The idea of a DMZ is to have an additional layer of security by segregating a LAN
from the infrastructure in the perimeter network. By doing this, an organization can
restrict an external attacker to only the perimeter network rather than the whole network
infrastructure.
Generally, any service that is being provided to the users on the external network can be
placed in the perimeter network. The most common candidates are as follows:
■
Web servers
■
Email servers
■
FTP servers
■
VoIP servers
Some enterprises install a proxy server with the perimeter network. This serves two pur-
poses: security and monitoring. And it has additional benefits:
■
Internal users are obliged to use the proxy server for Internet access.
■
Proxy servers maintain a local cache of web content, and therefore Internet access
bandwidth requirements can be reduced to some extent.
■
Monitoring and recording of user activities is simplified.
■
Web content filtering is centralized.
There are two basic methods to design a network with a perimeter network: a single-
firewall layout and a dual-firewall layout (see Figure 11.4). The two layouts are described
in the following sections.
Single-Firewall Layout
In this layout, three network interfaces are used to create a layout containing a perimeter
network. The firewall stands as an interface for the ISP, the internal network, and the
perimeter network. The advantage is that this setup is simple to deploy and manage and
requires minimum changes to the existing network. However, the disadvantage is that the
firewall becomes a single point of failure for the entire network because it must be able to
handle all the incoming and outgoing traffic. Another disadvantage is that one firewall is a
single line of defense. If attackers can get through the firewall, they can get to the internal
network.
Dual-Firewall Layout
To mitigate security concerns in a single-firewall setup, a dual-firewall approach is used.
The first firewall is the front end (or perimeter) firewall that provides an interface for the
ISP, the perimeter network, and a second firewall.
Search WWH ::
Custom Search