Solved

Understanding DMZ

Posted on 2004-10-07
10
983 Views
Last Modified: 2008-01-09
Hi Experts,

Just wondering could anybody explain DMZ to me, I know what it stands for but what is the point of it and what does it do.
And why would i need one.

0
Comment
Question by:belronan
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 250 total points
ID: 12250549
DMZ - Demilitarized Zone

When talking about networking this is a very secure section of your network where as little as possible is allowed. The most common uses for something like this would be Web Services (whether that's e-mail relays or web servers).

As an example, a basic DMZ setup:

                                      The Internet (with a couple of hackers)
                                                               |
                                                               |
                                                    Company Firewall    --------    Web Server
                                                               |
                                                               |
                                                     Internal Network

Then you have some (basic) rules in place to protect that bit of your network:

Allow Traffic on Port 80 from The Internet to the Web Server
Block everything else from The Internet
Allow Traffic on Port 80 from the Internal Network to the Web Server
Allow Traffic on <Some Remote Admin Port> from the Internal Network to the Web Server
Block Everything Else

So now you have a nice little part of your network that almost no one can get to except on the things you really want them to. Nothing at all from outside can get to your nice safe internal network and mess things up there.
0
 

Author Comment

by:belronan
ID: 12250675
Cheers Mate,

So is it in sense kinda like port forwarding then.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 12251445

In a sense, although the overall design isn't restricted to just Port Forwarding since it also involves IP Routing as a whole.

For instance, the web server might have a public IP Address in that instance and the Firewall used to just restrict access to that IP. Equally it might use Port Forwarding and hide behind another IP address entirely.

A lot of how it is set up depends on the Hardware you're using as well as what you're trying to make publicly available.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 6

Expert Comment

by:chumplet
ID: 12252279
It's very common to use a DMZ for any/all 'publicly accessible' boxes (web servers, ftp box, etc.) and then only allow specific traffic from the Internet to those boxes.  If someone is able to get in and hack your web server, for instance, they'll be locked into that DMZ network *and should NOT* have access to your corp/internal network.  Essentially, a DMZ is a way to get boxes behind your firewall, but NOT have them on your corporate network.  

With that in mind, you could have many, many DMZs if you so desired.

Chumplet
0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 12252520
although that is a popular setup, the true origins of "DMZ" refer to computers that are connected to the internet without any firewall in front of them.  Web Servers, Mail Servers, IDS, etc... are usually put in DMZs because you have to open up access to the public.

Nowadays, routers and firewalls have DMZ ports, that "basically" allow total communication with the internet but alos do tracking.  It's similiar to port forwarding, but in a way.. it's also the opposite.  Port forwarding has to do with Network Address Translation where a single public IP would represent multiple services.  depending on the port, a NAT device would forward the request to a particular computer.

With DMZ, all ports are open all the time.  So no matter what the request, it gets forwarded to the same computer.  This makes NAT useless, and "port forwarding" not completely accurate.
0
 
LVL 15

Expert Comment

by:adamdrayer
ID: 12252553
>>When talking about networking this is a very secure section of your network where as little as possible is allowed.

This is wrong.  A demilitarized zone has very little security, and is removed from your network segment both physically and logically as a result.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 12252598

The use and configuration of DMZ areas has changed over time somewhat. It is completely accurate to say it used to be an area with next to no security. But I personally haven't seen anywhere set-up like that for years, especially not after things like NetSky started flying around.

The main difference between a DMZ and the Private network these days tends to be that the DMZ is the only section that allows users from the Internet inside. It remains a good idea to only allow the minimum access to that section.

Perhaps in that respect DMZ is a bit of a misleading term?
0
 
LVL 2

Expert Comment

by:danielwpc
ID: 12255680
It mainly use for keeping local network and public accessable servers saperatly to protect the internal network from public access.
0
 

Author Comment

by:belronan
ID: 12256926
Thanks all,

So im currently using port forwarding to access my Outlook web access and also occasionally my terminal server, so i should really put these two boxes in front of my firewall???

But then how do i connect them to my local network or do these boxes have to be closed off boxes that i would rarely if ever be updating.

Cheers
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 12256974
For Outlook / Exchange Microsoft supply the Front-End / Back-End Servers. Of course there is the additional cost of an extra server with an extra copy of Exchange etc. But this is on the only way Exchange will let you have a more secure version in a DMZ. Exchange is too reliant on Active Directory to be moved outside the LAN otherwise.

For the Terminal Server, have you considered some kind of VPN type connection rather than opening it up completely?
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can't Make Laptop Computer Connect To Homegroup 33 84
VPN speed and 3rd party service 13 55
RRAS AND DNS 15 61
Simultaneous work of Wi-Fi and LAN on Win10 laptop 4 58
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
An article on effective troubleshooting
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question