Solved

Understanding DMZ

Posted on 2004-10-07
10
974 Views
Last Modified: 2008-01-09
Hi Experts,

Just wondering could anybody explain DMZ to me, I know what it stands for but what is the point of it and what does it do.
And why would i need one.

0
Comment
Question by:belronan
  • 4
  • 2
  • 2
  • +2
10 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 250 total points
Comment Utility
DMZ - Demilitarized Zone

When talking about networking this is a very secure section of your network where as little as possible is allowed. The most common uses for something like this would be Web Services (whether that's e-mail relays or web servers).

As an example, a basic DMZ setup:

                                      The Internet (with a couple of hackers)
                                                               |
                                                               |
                                                    Company Firewall    --------    Web Server
                                                               |
                                                               |
                                                     Internal Network

Then you have some (basic) rules in place to protect that bit of your network:

Allow Traffic on Port 80 from The Internet to the Web Server
Block everything else from The Internet
Allow Traffic on Port 80 from the Internal Network to the Web Server
Allow Traffic on <Some Remote Admin Port> from the Internal Network to the Web Server
Block Everything Else

So now you have a nice little part of your network that almost no one can get to except on the things you really want them to. Nothing at all from outside can get to your nice safe internal network and mess things up there.
0
 

Author Comment

by:belronan
Comment Utility
Cheers Mate,

So is it in sense kinda like port forwarding then.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

In a sense, although the overall design isn't restricted to just Port Forwarding since it also involves IP Routing as a whole.

For instance, the web server might have a public IP Address in that instance and the Firewall used to just restrict access to that IP. Equally it might use Port Forwarding and hide behind another IP address entirely.

A lot of how it is set up depends on the Hardware you're using as well as what you're trying to make publicly available.
0
 
LVL 6

Expert Comment

by:chumplet
Comment Utility
It's very common to use a DMZ for any/all 'publicly accessible' boxes (web servers, ftp box, etc.) and then only allow specific traffic from the Internet to those boxes.  If someone is able to get in and hack your web server, for instance, they'll be locked into that DMZ network *and should NOT* have access to your corp/internal network.  Essentially, a DMZ is a way to get boxes behind your firewall, but NOT have them on your corporate network.  

With that in mind, you could have many, many DMZs if you so desired.

Chumplet
0
 
LVL 15

Expert Comment

by:adamdrayer
Comment Utility
although that is a popular setup, the true origins of "DMZ" refer to computers that are connected to the internet without any firewall in front of them.  Web Servers, Mail Servers, IDS, etc... are usually put in DMZs because you have to open up access to the public.

Nowadays, routers and firewalls have DMZ ports, that "basically" allow total communication with the internet but alos do tracking.  It's similiar to port forwarding, but in a way.. it's also the opposite.  Port forwarding has to do with Network Address Translation where a single public IP would represent multiple services.  depending on the port, a NAT device would forward the request to a particular computer.

With DMZ, all ports are open all the time.  So no matter what the request, it gets forwarded to the same computer.  This makes NAT useless, and "port forwarding" not completely accurate.
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 15

Expert Comment

by:adamdrayer
Comment Utility
>>When talking about networking this is a very secure section of your network where as little as possible is allowed.

This is wrong.  A demilitarized zone has very little security, and is removed from your network segment both physically and logically as a result.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

The use and configuration of DMZ areas has changed over time somewhat. It is completely accurate to say it used to be an area with next to no security. But I personally haven't seen anywhere set-up like that for years, especially not after things like NetSky started flying around.

The main difference between a DMZ and the Private network these days tends to be that the DMZ is the only section that allows users from the Internet inside. It remains a good idea to only allow the minimum access to that section.

Perhaps in that respect DMZ is a bit of a misleading term?
0
 
LVL 2

Expert Comment

by:danielwpc
Comment Utility
It mainly use for keeping local network and public accessable servers saperatly to protect the internal network from public access.
0
 

Author Comment

by:belronan
Comment Utility
Thanks all,

So im currently using port forwarding to access my Outlook web access and also occasionally my terminal server, so i should really put these two boxes in front of my firewall???

But then how do i connect them to my local network or do these boxes have to be closed off boxes that i would rarely if ever be updating.

Cheers
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
For Outlook / Exchange Microsoft supply the Front-End / Back-End Servers. Of course there is the additional cost of an extra server with an extra copy of Exchange etc. But this is on the only way Exchange will let you have a more secure version in a DMZ. Exchange is too reliant on Active Directory to be moved outside the LAN otherwise.

For the Terminal Server, have you considered some kind of VPN type connection rather than opening it up completely?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now