As your organization grows and your network becomes larger and more complex, it becomes more likely that you'll run services that can open the local network up to attacks and security threats. For instance, small companies often look to their ISPs or hosting services for e-mail, Web site hosting, etc. But as the company grows and you develop an IT department with the technology savvy to handle such things, you may want to bring those functions inside, implementing your own on-site e-mail servers and Web servers. This gives you more control and can save you money--but it can also introduce new security risks.
Servers, by definition, accept connections from other computers and allow those other computers to access their resources. When those other computers are on the Internet--as is the case if you have a public Web site or receive e-mail from users outside your LAN--you have less control over them and thus become more vulnerable to attack. An attacker who gets in through an Internet-facing server can wreak havoc on the entire network, unless you take steps to prevent it.
One mechanism for protecting your internal computers is to put those systems that need to interact with external computers on a separate subnet, with a firewall not only at the Internet edge to protect them from external threats, but also with a firewall between the subnet and the internal LAN to ensure that attacks that make it into the subnet aren't able to cross on over to the LAN. A subnet set up in this way is called a perimeter network, screened subnet, or in popular parlance, a DMZ.
The DMZ Concept
In military jargon, a DMZ is an area between two opposing sides in a war that serves as a buffer or boundary. In computer networking, the term also describes a boundary area between two "opposing sides"--your internal network and the Internet. The DMZ can be created either with two separate firewalls or with one "three-legged" firewall that has the LAN connected to one of the firewall's ports and the DMZ connected to another.
There are a number of ways to implement the DMZ concept. The most basic DMZ contains a single bastion host--a server (often a Web server) that is considered "untrusted" by the computers on the internal LAN and uses a single firewall. This is a fairly low cost implementation, but provides less security than more sophisticated DMZ designs and is not as scalable. The bastion host is vulnerable, but the internal network is protected.
For better security, a single firewall can be used with a screened subnet and a bastion host. This provides for protection of both the LAN and the bastion host. You’ll need to use a split DNS configuration, which means separate DNS zones for the DNS records of internally accessible and externally accessible servers in the same domain.
The most flexible and scalable DMZ design relies on a multi-tiered firewall. This design allows you to offer multiple services to both the external network (Internet) and the internal one (LAN).
Making your DMZ scalable
One way to make your DMZ scalable is to choose your firewalls wisely. By selecting a firewall that can inspect VLAN tags, you don’t have to have individual physical firewalls but can configure your firewall to enforce different policies according to the VLAN tags.
As your network grows, you will most likely add more Internet-facing servers to the DMZ. It’s easy to expand the subnet to accommodate those machines that need to interface directly with the Internet, and you can create front end/back end configurations (for instance, a front end e-mail server in the DMZ with a back end mail server on the LAN).
If you host your own DNS servers for your domain, and they’ll be accessed by external users, they should be placed in the DMZ as well. FTP servers that you maintain for the purpose of exchanging files with customers or business partners can also be located in the DMZ.
Of course, there are some types of servers that you should not place in the DMZ. Domain controllers top the list, for obvious reasons. If your domain controller is compromised, the entire internal network is at risk. Remote access authentication servers, such as RADIUS servers, should also be placed on the internal network for best security. If external users require authentication, you can use VPN solutions or proxies.
Another way to scale as your networking needs grow is to implement multiple DMZs, to contain servers that serve different purposes. Sophisticated firewalls such as Microsoft ISA Server 2004 make it easy to create multiple DMZ networks via the multi-networking feature.
For example, you might have one DMZ for resources that require authenticated access and another for those that allow anonymous access. This provides for better protection. The anonymous access DMZ would contain such resources as a public DNS server and/or an anonymous SMTP relay. Connections to this network are not authenticated.
The authenticated access DMZ contains servers that face the Internet but also require authentication and/or encryption. It’s a DMZ because it has computers that interface with the Internet, but it’s more secure than an anonymous access DMZ. You might place a front end e-mail server or an authenticated SMTP relay in this DMZ.
Another possibility is the creation of a "honeynet" DMZ that contains servers specifically set up to attract attackers. The purpose is two-fold; the honeynet can divert hacker interest away from your actual critical resources, and you can learn about the attacks and attackers to better help you secure your network against them.
Using multiple DMZs is a highly scalable (and highly secure) method of deployment, but it is also more costly in terms of hardware, software and administrative overhead.
When planning a DMZ deployment to provide added protection to your network infrastructure, keep in mind that some DMZ designs are more scalable than others. As your network grows, your DMZ needs are bound to do the same.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.