DMZ: Demilitarized Zone
In information security, a Demilitarized Zone (DMZ) is a perimeter local network located between an organization's internal network and an external network, generally the Internet.
The objective of a DMZ is to allow connections from the internal network to the DMZ, and from the external network to the DMZ, while generally only allowing connections from the DMZ to the external network. In this way, devices in the DMZ are prevented from directly connecting to the internal network.
This allows systems located in the DMZ to provide services to the external network, while protecting the internal network in case intruders compromise the security of equipment in the demilitarized zone. For someone on the external network attempting to illegally access the internal network, the DMZ becomes a dead end.
The DMZ or perimeter network acts as a filter between the Internet connection and an organization’s internal network, with the primary objective of verifying that connections between both networks are authorized.
A DMZ is commonly used to host servers that must be accessed from outside, such as email services or web servers. A key characteristic is that only these services hosted in the DMZ equipment can establish data traffic between the DMZ and the internal network, such as a connection between a web server and a protected database located within the internal network.
A DMZ is often created through firewall configuration options, where each network connects to a different port.
DMZ Configurations
A demilitarized zone refers to a network of devices with a private IP address range that serves as a security buffer between two networks, separating them through strict access rules.
Although the servers within a DMZ physically belong to the same organization, they are not directly connected to devices on the internal local network.
The highest level of protection consists of firewalls separating the DMZ from both the local network and the Internet. In more cost-effective network architectures, all networks are connected to a single firewall with three separate interfaces.
DMZ with Two Firewalls (Dual Firewall)
To protect corporate networks from attacks originating from wide area networks (WAN), the concept of a dual-firewall DMZ is commonly implemented. This consists of:
- An external firewall protecting the DMZ from the public network
- An internal firewall between the DMZ and the corporate network
The firewalls may be independent, hardware-based or software-based.
This two-stage security architecture allows static routing configurations that regulate traffic as follows:
- If the user is on the external network (Internet), they can access the DMZ but not the internal network (LAN).
- If the user is on the internal network (LAN), they can access both the DMZ and the external network (Internet).
- If the user is in the DMZ, they cannot access either the external network (Internet) or the internal network (LAN).
Additionally, it is recommended to implement firewalls from different vendors. Otherwise, once a vulnerability is identified in one firewall, an attacker could easily compromise the other.
To prevent attacks from an infected server to other devices within the DMZ, additional firewall software or VLANs can be implemented.
DMZ with One Firewall
For a more economical implementation, a single high-capacity firewall (for example, a router with firewall functionality) can be used, with three separate network interfaces: one for the Intranet, one for the Internet, and one for the DMZ.
In this configuration, all ports are monitored separately by the same firewall, making it a Single Point of Failure (SPOF). It is essential to use a firewall capable of handling Internet traffic as well as different access levels to the internal network.
Exposed Host
Many routers provided by Internet Service Providers include a configuration option to enable a DMZ, through which one device in the organization becomes accessible from the Internet as an “exposed host.” Its primary function is to receive all requests from the Internet forwarded by the router.
Activating this option is not highly recommended, as network protection would rely exclusively on the router. A router is not specifically designed to function as a firewall, and its security capabilities are much more limited.
An “exposed host” does not offer the same level of protection as a true DMZ, mainly because it is not separated from the local network. In any case, it is advisable to use additional monitoring, detection, and prevention tools.
Advantages and Disadvantages
Perimeter security architectures using DMZs encompass different schemes that allow configuration of various solutions to meet required security levels.
To implement any architecture, an organization must evaluate its needs, analyzing uninterrupted operation, resources, services provided, and geographic distribution.
Systems to consider include: Intranets, e-commerce sites, switches, IP video surveillance, ERP (Enterprise Resource Planning), CRM (Customer Relationship Management), databases, among others.
Once identified, it is also necessary to consider who will access these services — internal users, Internet users, or geographically distant branches.
With this data, it is possible to design an appropriate DMZ architecture and even combine them to maximize advantages and minimize disadvantages.
Single Firewall with DMZ
Advantages:
- Simple administration
- More economical architecture
- Safer service publication
- Recommended structure for remote sites hosting only some critical services without direct LAN user access (e.g., a web server farm)
Disadvantages:
- Greater complexity in firewall management
- If the firewall is compromised, the entire network is affected
- If a server or device is compromised, the attacker may continue to other systems without additional protection barriers
Dual Firewall with DMZ
Advantages:
- Higher security
- Better access policies and filtering rules
- Full independence of networks and equipment
Disadvantages:
- Higher costs
- Better access policies and filtering rules
- Should be evaluated against potential financial losses if services are compromised
DMZ Security
General best practices to ensure a secure DMZ include:
Preserve Isolation
Keep traffic rules between the DMZ and internal network as strict as possible. Avoid creating overly permissive rules that allow full access between DMZ systems and internal servers, as this defeats the purpose of the DMZ.
Practice Good Vulnerability Management
DMZ servers are exposed to the public, so they must be fully updated. Automate vulnerability alerts and apply patches more frequently than on protected systems to reduce exposure windows.
Use Application-Layer Defenses
Choose firewalls with strong application-layer protection capable of inspecting traffic content and blocking malicious requests (e.g., detecting SQL injection attempts).
Monitor, Monitor, Monitor
Use IDS (Intrusion Detection Systems), SIEM (Security Information and Event Management), log monitoring, and other tools to detect attack signals. DMZ systems are constantly exposed and must be among the most secured assets in the organization.
Protelion has developed, in addition to its point-to-point VPN technology, the Protelion Threat Detection & Response solution to detect zero-day attacks, control network-based threats, and take immediate action for their eradication.