Skip to main content

DMZ

zone
The word zone is used to mean any area that is separated from another, or is distinguished from another based on distinctive circumstances. In computers, networking and the Internet, the meaning of the word zone changes depending on the specific environment. Some common meanings of the word zone include the following:

  • Domain Name System (DNS): Zone is the name space that is allocated for a specific server. Also called DNS zone. Zone files on these servers contain information about one or more domain names.
  • Apple computers: Zone is a logical group of network devices using AppleTalk.
  • SAN: Zoning is the process of allocating resources in a SAN to load balance the devices connected to the network.
  • General computing: levels of administration and access are called zones.


In computer security, a DMZ (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a larger untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network. The name is derived from the term "demilitarized zone", an area between nation states in which military action is not permitted.

SolutionBase: Strengthen network defenses by using a DMZ
By Guest Contributor
June 29, 2005, 7:00am PDT
The concept of the DMZ, like many other network security concepts, was borrowed from military terminology. Geopolitically, a demilitarized zone (DMZ) is an area that runs between two territories that are hostile to one another or two opposing forces' battle lines. The term was first widely used to refer to the strip of land that cuts across the Korean peninsula and separates the North from the South. In computer networking, the DMZ likewise provides a buffer zone that separates an internal network from the often hostile territory of the Internet. Sometimes it's called a "screened subnet" or a "perimeter network," but the purpose remains the same.
In this article, we'll look at how the DMZ works and different security architectures for building DMZs. In the second article of this two-part article, we'll talk about what computers should (and shouldn't) be placed in the DMZ and how to monitor DMZ activity.
How the DMZ Works
Unlike the geopolitical DMZ, a DMZ network is not a no-man's land that belongs to nobody. When you create a DMZ for your organization, it belongs to you and is under your control. However, it is an isolated network that's separate from your corporate LAN (the "internal" network). The DMZ uses IP addresses belonging to a different network ID.
If you think of the internal network as the "trusted" network and the external public network (the Internet) as the "untrusted" network, you can think of the DMZ as a "semi-trusted" area. It's not as secured as the LAN, but because it is behind a firewall, neither is it as non-secure as the Internet. You can also think of the DMZ as a "liaison network" that can communicate with both the Internet and the LAN while sitting between the twoWhat does this accomplish? You can place computers that need to communicate directly with the Internet (public servers) in the DMZ instead of on your internal network. They will be protected by the outer firewall, although they are still at risk simply because they have direct contact with Internet computers. Because the DMZ is only "semi-secure," it's easier to hack a computer in the DMZ than on the internal network. The good news is that if a DMZ computer does get hacked, it doesn't compromise the security of the internal network, because it's on a completely separate, isolated network.
Why put any computers in this riskier network? Let's take an example: in order to do its job (make your Web site available to members of the public), your Web server has to be accessible to the Internet. But having a server on your network that's accessible from the Internet puts the entire network at risk. There are three ways to reduce that risk:

  • You could pay a hosting company to host your Web sites on their machines and network. However, this gives you less control over your Web servers.
  • You could host the public servers on the firewall computer. However, best security practices say the firewall computer should be dedicated solely to act as a firewall (this reduces the chances of the firewall being compromised), and practically speaking, this would impair the firewall's performance. Besides, if you have a firewall appliance running a proprietary OS, you won't be able to install other services on it.
  • The third solution is to put the public Web servers on a separate, isolated network: the DMZ.

Comments

Post a Comment

Popular posts from this blog

Safety property that a deadlock can never occur

Identified four necessary conditions for a deadlock to occur 1. Mutual Exclusion. The nodes claim exclusive control of the resources they require. 2. Wait for. Tasks hold resources already allocated to them while waiting for additional resources. 3. No preemption. Resources cannot be forcibly removed from the tasks holding them until the resources are used to completion. 4. Cyclic Wait. A cyclic chain of tasks exists, such that each task holds one or more resources that are being requested by the next task in the chain. References: For information about system deadlocks please refer: E. G. Coffman, M. Elphick, and A. Shoshani. System Deadlocks
Post a Comment
Read more

OWASP API Security Top 10 vulnerabilities 2023

API Security Do's and Don'ts Don't trust input data for an API and do validate all inputs. Ensure you understand security and keep sensitive data out of code. Don't hardcode keys/tokens Don't reveal useful info in error messages. Don't have hidden/unadvertised features. Don't filter data in UI - control at app level Don't confuse authentication and authorization Always use API gateways to control access and traffic Do require API documentation. Do expect users/hackers to find and use undocumented endpoints Do continuous testing - attack simulation, test configs, fuzzing, injections OWASP API Security Top 10 Vulnerabilities 2023 API-1:2023 - Broken Object Level Authorization: BOLA is still the leading vulnerability that plagues APIs. When data objects do not have sufficient access controls in place, resources can be accessed by unauthorized users. API-2:2023 - Broken Authentication  Broken Authentication contains all vulnerabilities associated with auth...
Post a Comment
Read more
Program to print items in single linkedlist in Pendulum order  Single linked list pendulum in java There are sequence of numbers in a single linked list and display the result in pendulum format Input : 1 2 3 4 5 6 7 8 Output : 1 8 2 7 3 6 5 4 Solution :  https://github.com/Bonu/datastructures/blob/main/SingleLinkedListPendulum.java Below is the manual approach: Input: 1 2 3 4 5 6 7 Iteration 1: 1 2 3 4 5 6 7 Iteration 2: 1 7 2 3 4 5 6 Iteration 3: 1 7 2 6 3 4 5 Iteration 4: 1 7 2 6 3 5 4
Post a Comment
Read more