DMZ - Demilitarized Zone

Status
Not open for further replies.

CntdwnToExtn

Fully Optimized
Messages
1,746
Location
Parents Basement...Still
The DMZ aka Perimeter Network, is a network separate from the LAN that hosts many of the external services that connect to the Internet. These services can be Web Servers, Front-End Mail Servers (now known as Edge Servers), FTP Servers and Proxies. Honey Pots can be located in this area as well.

The classic setup would be:
Internet --> Firewall --> DMZ --> Firewall --> LAN

Why put these services into the DMZ zone? Security reasons.

These servers/services are not part of your network but are authorized to communicate to the internal network (if needed) with a defined set of firewall rules. If a server in this zone was to be compromised, the attacker still does not have network/domain access and must break through yet another firewall.

An example of a server found in the DMZ would be an Email Edge Server.

Placing an Edge server into the DMZ would accept all incoming email communication. Once a secure LDAP lookup is complete, the email message is then forwarded from the Edge server to your internal mailing system. Never will the sending email system talk to your internal Hub Transport or Database. Nor would the internal mailing system ever have any access to the outside world due to firewall rules.

If the Edge server was to be compromised the ports/type of communication are limited due to the DMZ/LAN firewall. User accounts located on the Edge Server have no authority on the LAN rendering them useless.

If you decided not to use an Edge Server and simply allowed direct access to your internal mailing system, an attacker could compromise your system and have direct access to your mail database. Even more, direct access to the LAN/domain if user accounts have been compromised.


So if you are thinking about providing a service that not only will your internal LAN be needing but the Internet as well, it would be a good idea investigate what the added cost for the DMZ would be.
 
Status
Not open for further replies.
Back
Top Bottom