Understanding DMZ

Hi Experts,

Just wondering could anybody explain DMZ to me, I know what it stands for but what is the point of it and what does it do.
And why would i need one.

belronanAsked:
Who is Participating?
 
Chris DentPowerShell DeveloperCommented:
DMZ - Demilitarized Zone

When talking about networking this is a very secure section of your network where as little as possible is allowed. The most common uses for something like this would be Web Services (whether that's e-mail relays or web servers).

As an example, a basic DMZ setup:

                                      The Internet (with a couple of hackers)
                                                               |
                                                               |
                                                    Company Firewall    --------    Web Server
                                                               |
                                                               |
                                                     Internal Network

Then you have some (basic) rules in place to protect that bit of your network:

Allow Traffic on Port 80 from The Internet to the Web Server
Block everything else from The Internet
Allow Traffic on Port 80 from the Internal Network to the Web Server
Allow Traffic on <Some Remote Admin Port> from the Internal Network to the Web Server
Block Everything Else

So now you have a nice little part of your network that almost no one can get to except on the things you really want them to. Nothing at all from outside can get to your nice safe internal network and mess things up there.
0
 
belronanAuthor Commented:
Cheers Mate,

So is it in sense kinda like port forwarding then.
0
 
Chris DentPowerShell DeveloperCommented:

In a sense, although the overall design isn't restricted to just Port Forwarding since it also involves IP Routing as a whole.

For instance, the web server might have a public IP Address in that instance and the Firewall used to just restrict access to that IP. Equally it might use Port Forwarding and hide behind another IP address entirely.

A lot of how it is set up depends on the Hardware you're using as well as what you're trying to make publicly available.
0
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

 
chumpletCommented:
It's very common to use a DMZ for any/all 'publicly accessible' boxes (web servers, ftp box, etc.) and then only allow specific traffic from the Internet to those boxes.  If someone is able to get in and hack your web server, for instance, they'll be locked into that DMZ network *and should NOT* have access to your corp/internal network.  Essentially, a DMZ is a way to get boxes behind your firewall, but NOT have them on your corporate network.  

With that in mind, you could have many, many DMZs if you so desired.

Chumplet
0
 
adamdrayerCommented:
although that is a popular setup, the true origins of "DMZ" refer to computers that are connected to the internet without any firewall in front of them.  Web Servers, Mail Servers, IDS, etc... are usually put in DMZs because you have to open up access to the public.

Nowadays, routers and firewalls have DMZ ports, that "basically" allow total communication with the internet but alos do tracking.  It's similiar to port forwarding, but in a way.. it's also the opposite.  Port forwarding has to do with Network Address Translation where a single public IP would represent multiple services.  depending on the port, a NAT device would forward the request to a particular computer.

With DMZ, all ports are open all the time.  So no matter what the request, it gets forwarded to the same computer.  This makes NAT useless, and "port forwarding" not completely accurate.
0
 
adamdrayerCommented:
>>When talking about networking this is a very secure section of your network where as little as possible is allowed.

This is wrong.  A demilitarized zone has very little security, and is removed from your network segment both physically and logically as a result.
0
 
Chris DentPowerShell DeveloperCommented:

The use and configuration of DMZ areas has changed over time somewhat. It is completely accurate to say it used to be an area with next to no security. But I personally haven't seen anywhere set-up like that for years, especially not after things like NetSky started flying around.

The main difference between a DMZ and the Private network these days tends to be that the DMZ is the only section that allows users from the Internet inside. It remains a good idea to only allow the minimum access to that section.

Perhaps in that respect DMZ is a bit of a misleading term?
0
 
danielwpcCommented:
It mainly use for keeping local network and public accessable servers saperatly to protect the internal network from public access.
0
 
belronanAuthor Commented:
Thanks all,

So im currently using port forwarding to access my Outlook web access and also occasionally my terminal server, so i should really put these two boxes in front of my firewall???

But then how do i connect them to my local network or do these boxes have to be closed off boxes that i would rarely if ever be updating.

Cheers
0
 
Chris DentPowerShell DeveloperCommented:
For Outlook / Exchange Microsoft supply the Front-End / Back-End Servers. Of course there is the additional cost of an extra server with an extra copy of Exchange etc. But this is on the only way Exchange will let you have a more secure version in a DMZ. Exchange is too reliant on Active Directory to be moved outside the LAN otherwise.

For the Terminal Server, have you considered some kind of VPN type connection rather than opening it up completely?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.