A Demilitarized Zone (DMZ) is a computer host or small network between a company private network and the outside public network. It was born out of the need for separation of the network from a security point of view, and prevents outside users from gaining direct access to a server that has company confidential data.
Figure 1.1 Secure Isolation Network
A DMZ is a network construct that provides secure segregation of networks that host services for users, visitors or partners, such separation is accomplished using IDS, IPS and multiple layers of filtering to control access and protect critical systems.
An organization may want to provide public internet access to certain system and protocols. For instance, the e-mail server must be made available to the internet in a company infrastructure. It is a good practice to deploy these systems on a dedicated subnet. Because these systems are publicly accessible, they are vulnerable to under attack from malicious hackers.
The overall design and implementation process can be relatively simple or sophisticated depending upon the need of particular business or network system environment. The DMZ has proven to be more secure, flexible, scalable and robust offering multiple layers of guards for the security of the shielded network and machines. DMZ design now integrates the ability to use multiple products (both hardware and software based) on various platforms to achieve the mandatory level of protection.
Figure 1.2 Secure Networks
The security policy for the DMZ is generally the following:
- Traffic from the external network to the DMZ is authorized
- Traffic from the external network to the internal network is prohibited
- Traffic from the internal network to the DMZ is authorized
- Traffic from the internal network to the external network is authorized
- Traffic from the DMZ to the internal network is prohibited
Traffic from the DMZ to the external network is denied
Thus, the DMZ possesses an intermediate security level that is not high enough for storing critical company data.
It should be noted that DMZs can be set up internally in order to isolate the internal network with varying levels of protection and avoid internal intrusions. Thus, the level of security within the DMZ also depends on the nature of the servers that are placed there. We can divide DMZs into two security categories:
- DMZs designed for unauthenticated or anonymous access
- DMZs designed for authenticated access
If you have a Web server that you want everybody on the Internet to be able to access, (such as a Web presence advertising your company), you’ll have to allow anonymous access. You can’t easily provide authentication credentials to every stranger who happens upon your site. However, if your Internet-facing servers on the DMZ are used by partners, customers, or employees working off-site, you can require authentication to access them. This makes it more difficult for a hacker to gain access.
DMZ is a critical component of security design in the realization that a single type of protection is subject to failure. This failure can arise from configuration errors, planning errors, equipment failure and deliberation actions on the part of an internal disgruntle employees or external attack force.
A DMZ design mainly consists of firewalls and segments that are protected from each other by firewall rules and routing. One must plan the topology and figure out advance traffic flow, logical addressing, and other factors that would affect the systems. You got the basic understanding of DMZ by the following figure;
Figure 1.3 Basic DMZ design
The DMZ design can incorporate sections that isolate incoming VPN traffic, web traffic, partner connections, employee’s connections and public access to information provided by your organization. Design of DMZ structure throughout the organization can protect internal resources from internal attack. Multiple design possibilities exist, depending on the level of protection that is required in the particular enterprise configuration.
Design of DMZ will allow you to implement a multilayered approaching to securing your resources without single point of failure in the plan. This minimize the problems and loss of protection that can occur because of poorly configured rule set or access control list, as well as reducing the problems that occurs due to hardware configuration error. We can categorize the DMZ design into four levels as following:
Level 1 design
Level 1 is the simplest design and subsequent levels providing more segmented security. When we want to build a basic DMZ, we start with a single segment of the firewall. This design is fine if you have a few servers that need Internet access. However, if you do any e-commerce transactions, you have already outgrown this design.
Many people make the mistake of keeping this design, placing the Web and application servers in the DMZ and the databases on the internal network. This is no longer acceptable. As database attacks become more targeted, the risk of having the database on the internal network requires a more sophisticated design.
Level 2 design
A Level 2 DMZ would consist of multiple DMZ networks off of the firewall. This design is a substantial improvement over a Level 1 design. It allows traffic rules to be written between each DMZ for control and segregation. A good start is having separate DMZs for Web and application servers, databases, authentication services, VPNs, partner connections, e-mail and mobile services. This is very feasible today; most firewalls can easily handle tens of interfaces and multiple VLANs on each interface.
Level 3 design
One problem often seen in Level 2 DMZ designs is that overly permissive firewall rules can lead to devices getting Internet access that should never have it. One way to rectify that is to use two firewalls. This design, which we’ll call Level 3, is built with an external firewall and an internal firewall. The DMZ is placed between the firewalls based on access restrictions. Inbound Internet access is allowed into the external DMZ via the external firewall—never directly routed to devices placed in the internal DMZ on the internal firewall. The internal network can talk to the internal DMZ but not the external DMZ. This Level 3 DMZ design effectively separates Internet-connected devices and the services they require using just two firewalls with their own policies. Most security teams quickly understand the rule base design between externally accessible and internally accessible DMZs. The temptation is to create rules allowing inbound access from the DMZs to the internal network. This should never be allowed. All the services that are needed should be moved into DMZs so that internal networks are never exposed.
Level 4 design
Level 4 DMZ designs are where things start getting more complicated. A Level 4 scenario would most likely include deploying multiple firewall pairs in parallel along your border rail, and spreading your DMZs out among them, segregated by your choice of metrics. Most people choose to separate the firewalls into business or functional groups, while others like to separate them by trust levels.
Multiple DMZ can also be deployed to separate components of a single application system. The application system can consists of three separate tiers referred to as application, presentation and database tiers. The application layer contains the mandatory business logics for processing queries to retrieve data from a database. The presentation layer consists of web server that interacts with end users and sends input to the application layer for processing and returning the output back to end users. The database layer is warehouse of data in tables form.
How DMZ works
Malicious hackers usually breached the internal network through internet in absent of firewalls and other security devices The Security is usually maintain in the internal by the various devices such as Firewall, router and switches from not being exposed the crucial services on the Internet. If a malicious hacker somehow manage to penetrate these security frontier devices than he can easily be part of internal network.
So to overcome such hazards, The DMZ is configured to create a virtual segment of our network in order to shield our network from outside attacks in case of compromising the DMZ. The DMZ usually consists of proxy server arrays, which the network uses to provide Web access for internal users; external Internet Information Services (IIS), which an organization can use to promote its presence on the Internet; and any VPN servers that are used to provide secure connections for remote clients. We can filter unsolicited traffics from internet by placing dual firewall to protect our internal working network. It’s basically a double layer of defense mechanism in which we can protect both DMZ and internal network services.
The firewall DMZ can be implemented at the border of the corporate LAN which typically has three network interfaces:
- The internet interface: the interface is exposed to the internet (the unsecured public network)
- The private / Intranet interface: the interface is connected to the corporate LAN network where you put your vulnerable servers.
The DMZ network: the DMZ interface resides in the same public network that can be easily accessed by public users from the internet. The public resources that typically reside in the firewall DMZ are proxy servers, and web servers.
As the number of publicly accessible systems grows, it is commonplace to implement port filtering to limit breaches because a malicious executable application can establish a communication to our system by opening a dynamic port. So most organization limits the protocols allowed into the DMZ as following:
|Vulnerable to replay, buffer overflow and spoofing to gain privilege and discover passwords.
Poor HTTP server configuration allows privilege escalation.
|FTP||No encryption mechanism, exposing credentials in clear text.|
|DoS and Buffer overflow attacks are possible.
Security vulnerability exists in vendor software implementation that’s allowing privilege escalation.
System compromised when code run under root credentials.
Host Security on the DMZ
Because the DMZ is a less secure network than the internal network, host security is even more important for the computers that are “out there.” The servers on your DMZ should be hardened as much as possible (while maintaining their necessary accessibility. Here are some guidelines:
- All unnecessary services should be disabled.
- Necessary services should be run with the lowest privileges possible.
- Strong passwords or passphrases should be used.
- Unnecessary user accounts should be deleted or disabled and default accounts should be disguised by renaming, changing the description, etc.
- Systems should have the latest security updates and patches applied.
- Security logging should be enabled (and you should check the logs frequently!)
A computer with a DMZ loses firewall protection, and is exposed to exploits from the Internet. If compromised, your own computer can attack the rest your network. Instead of a DMZ, using port forwarding is better option to manipulate ports.
However, the DMZ server feature is helpful:
- When you have a problem connecting to an Internet service. Setting up a DMZ will determine whether a closed port is responsible for the problem.
- With some online games and videoconferencing application that are incompatible with NAT
A Honeypot is a special type of Host base Intrusion Detection System whose solely purpose is to monitor, detect and capture security threats. The Honeypot is configured on a normal system which emulates a production server without all of the patches being applied. Honeypots often contains snapshot functionality and packet-capturing software so the security administrator can document all the crackers malicious activities.
Honeypots can also accept malicious traffic that is deflected by a network perimeter device in order to slow down hackers and automated worms. By doing so, it can keep malicious hackers busy for hours in virtual environments where they can do no damage and easily trapped. Honeypots enables the administrator to know when certain types of attackers are happening so he can fortify the environment and track down the intruder. The longer the hacker stays at honeypot, the more information will be disclosed about his tactics. The administrators keep detailed logs, auditing and performing forensic operations in the hopes of prosecuting the attacker.
A DMZ greatly increases the security of a network. Any network with a web server and even one other machine can benefit from a DMZ. A DMZ is not only useful for a system that contains valuable or private information. Any one that wants to add an extra layer of protection to a machine can benefit from a DMZ. A DMZ, if properly configured, can quickly increase the security of any network. This is because there are twice as many machines for an attacker to compromise to get to anything valuable. This greatly increases the skill required of an external hacker to compromise the internal network and thus lowers the threat of the internal network being compromised. Of course, the defense-in-depth principle must be remembered and practiced, but a DMZ does provide a significant increase in security. We also examine the importance of honeypots in the line of defense.