TechTarget.com/searchsecurity

https://www.techtarget.com/searchsecurity/definition/DMZ

What is a DMZ in networking?

By Nick Barney

In computer networks, a DMZ, or demilitarized zone, is a physical or logical subnet that separates a local area network (LAN) from other untrusted networks -- usually, the public internet. DMZs are also known as perimeter networks or screened subnetworks.

Any service provided to users on the public internet should be placed in the DMZ network. External-facing servers, resources and services are usually located there. The most common services include web, email, domain name system, FTP and proxy servers.

Servers and resources in the DMZ are accessible from the internet, but the rest of the internal LAN remains unreachable. This approach provides an additional layer of security to the LAN as it restricts a hacker's ability to access internal servers and data directly from the internet.

Hackers and cybercriminals can reach the systems running services on DMZ servers. Those servers must be hardened to withstand constant attack. The term DMZ comes from the geographic buffer zone that was set up between North Korea and South Korea at the end of the Korean War.

Why are DMZs important?

DMZs provide a level of network segmentation that helps protect internal corporate networks. These subnetworks restrict remote access to internal servers and resources, making it difficult for attackers to access the internal network. This strategy is useful for both individual use and large organizations.

Businesses place applications and servers exposed to the internet in a DMZ, separating them from the internal network. The DMZ isolates these resources so that if they are compromised, the attack is unlikely to cause exposure, damage or loss.

How does a DMZ work?

DMZs function as a buffer zone between the public internet and the private network. The DMZ subnet is deployed between two firewalls. All inbound network packets are then screened using a firewall or other security appliance before they arrive at the servers hosted in the DMZ.

If better-prepared threat actors pass through the first firewall, they must then gain unauthorized access to the services in the DMZ before they can do any damage. Those systems are likely hardened against such attacks.

Finally, assuming well-resourced threat actors take over a system hosted in the DMZ, they must still break through the internal firewall before they reach sensitive enterprise resources. Determined attackers can breach even the most secure DMZ architecture. However, a DMZ under attack sets off alarms, giving security professionals enough warning to avert a full breach of their organization.

What are the benefits of using a DMZ?

The primary benefit of a DMZ is that it offers users from the public internet access to certain secure services while maintaining a buffer between those users and the private internal network. Several security benefits from this buffer include the following:

• Access control. A DMZ network provides access control to services outside an organization's network perimeters accessed from the internet. It simultaneously introduces a level of network segmentation that increases the number of obstacles a user must bypass before gaining access to an organization's private network. In some cases, a DMZ includes a proxy server, which centralizes the flow of internal -- usually, employee -- internet traffic and makes recording and monitoring that traffic simpler.
• Network reconnaissance prevention. A DMZ also prevents an attacker from being able to scope out potential targets within the network. Even if a system within the DMZ is compromised, the internal firewall protects the private network, separating it from the DMZ. This setup makes external active reconnaissance more difficult. Although the servers in the DMZ are publicly exposed, they are backed by another layer of protection. The public face of the DMZ keeps attackers from seeing the contents of the internal private network. If attackers do manage to compromise the servers within the DMZ, they are still isolated from the private network by the DMZ's internal barrier.
• Protection against Internet Protocol (IP) spoofing. In some cases, attackers attempt to bypass access control restrictions by spoofing an authorized IP address to impersonate another device on the network. A DMZ can stall potential IP spoofers, while another service on the network verifies the IP address's legitimacy by testing whether it is reachable.

Vulnerabilities of DMZs

DMAs contain some vulnerabilities. The most important include:

• Direct access. Occasionally, DMZs can leave DNS servers and email servers exposed to direct access, leaving them potentially susceptible to cyberattacks.
• Limited protection. A DMZ is not typically designed to store sensitive data directly, meaning if improperly configured attackers could find vulnerabilities in front-end services within it. This can lead to access to back-end systems and sensitive data.
• Cyberattack exposure. Public-facing services such as DNS, FTP and VoIP servers in a DMZ are exposed to external attacks, increasing their potential risk of being compromised.
• Increased complexity and misconfiguration. Setting up and managing a DMZ involves multiple components, such as the second firewall which, if misconfigured, can create cybersecurity vulnerabilities.

What DMZs are used for

DMZ networks have been an important part of enterprise network security for almost as long as firewalls have been used. They are deployed for similar reasons: to protect sensitive organizational systems and resources. DMZ networks are often used for the following:

• Isolate and keep potential target systems separate from internal networks.
• Reduce and control access to those systems by external users.
• Host corporate resources to make some of them available to authorized external users.

More recently, enterprises have opted to use virtual machines or containers to isolate parts of the network or specific applications from the rest of the corporate environment. Cloud technologies have largely removed the need for many organizations to have in-house web servers. Much of the external facing infrastructure once located in the enterprise DMZ has migrated to the cloud, such as SaaS apps.

Architecture and design of DMZ networks

There are various ways to design a network with a DMZ. The two basic methods are to use either one or two firewalls, though most modern DMZs are designed with two firewalls. This approach can be expanded to create more complex architectures.

A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed by connecting the public internet -- via an internet service provider connection -- to the firewall on the first network interface. The internal network is formed from the second network interface, and the DMZ network connects to the third network interface.

Different sets of firewall rules for monitoring traffic between the internet and the DMZ, the LAN and the DMZ, and the LAN and the internet tightly control which ports and types of traffic are allowed into the DMZ from the internet. These rules also limit connectivity to specific hosts in the internal network and prevent unrequested connections to the internet or the internal LAN from the DMZ.

The more secure approach to creating a DMZ network is a dual-firewall configuration, in which two firewalls are deployed with the DMZ network positioned between them. The first firewall -- also called the perimeter firewall -- allows only external traffic destined for the DMZ. The second, or internal, firewall only allows traffic from the DMZ to the internal network.

The dual-firewall approach is considered more secure because two devices must be compromised before an attacker can access the internal LAN. Security controls can be tuned specifically for each network segment. For example, a network intrusion detection and intrusion prevention system (IPS) located in a DMZ could be configured to block all traffic except HTTPS requests to TPC port 443.

Examples of DMZs

Some of the ways DMZs are used include the following:

• Cloud services. Some cloud services, such as Microsoft Azure, use a hybrid security approach in which a DMZ is implemented between an organization's on-premises network and the virtual network. Typically, this method is used when the organization's applications run partly on premises and partly on the virtual network. It's also used where outgoing traffic must be audited or granular traffic control is required between the virtual network and the on-premises data center.
• Home networks. A DMZ can also be useful in a home network where computers and other devices are connected to the internet using a broadband router and configured into a LAN. Some home routers include a DMZ host feature, which differs from organizational DMZ subnetworks that have more devices than a home network. The DMZ host feature designates one home network device to function outside the firewall, where the network acts as the DMZ while the rest of the home network lies inside the firewall. In some cases, a gaming console is selected as the DMZ host so the firewall doesn't interfere with gaming. A console is also a good DMZ host because it likely holds less sensitive information than a personal computer.
• Industrial control systems (ICSes). DMZs provide a potential solution to the security risks of ICSes. Industrial equipment, such as turbine engines, or ICSes are being merged with information technology (IT), which makes production environments smarter and more efficient. But it also creates a larger threat surface. Much of the industrial or operational technology (OT) equipment connecting to the internet is not designed to handle attacks in the same way IT devices are. A DMZ can provide increased network segmentation that can make it harder for ransomware or other network threats to bridge the gap between IT systems and their more vulnerable OT counterparts.

Difference between DMZ and firewall

DMZs and firewalls are similar cybersecurity apparatuses often used together but with significant differences. A firewall acts as a barrier between internal networks and the outside world by blocking or allowing traffic based on programmed configurations. This helps prevent unauthorized traffic to a network.

Conversely, a DMZ is a more extensive network tool situated between an internal network and the public internet. Unlike a firewall that manages access, a DMZ creates a controlled area for services requiring public access such as DNS servers, mail servers and VPN access points. In so doing, a DMZ keeps these services from interacting directly with the internal network.

Types of DMZs

Several common types of DMZs include:

• Single firewall DMZ. This is a simple setup where a DMZ is created using one firewall with specific rules to separate the internal network from the public network.
• Dual firewall DMZ. This uses a second firewall to provide an additional layer of security, isolating the DMZ between two firewalls for more controlled access.
• Cloud-based DMZ. This DMZ is hosted in a cloud environment and often used for services such as DNS or VPN that need to be accessible externally but are managed in a virtualized environment.
• Dedicated hardware DMZ. This DMZ is hosted on specific hardware, such as standalone email or FTP servers, and enhances cybersecurity by keeping certain functions separated physically from the internal network.

Learn how a honeypot can be placed in the DMZ to attract malicious traffic, keep it away from the internal network and let IT study its behavior. Read more about industrial demilitarized zone for industrial control systems, which can prevent operational environments from becoming compromised by IT threats.