The demilitarized zone (DMZ) feature of a network offers many
traditional and nontraditional uses. Typically, a DMZ is a separate port (or
ports) off a firewall that has a different network subnet. You can use a DMZ to
host services for public use that don’t require connectivity to an internal
network.

Chances are good that your organization already has a DMZ on
its network that hosts public Web or FTP servers. While this is a good use, DMZ
functionality offers an even better use for an organization’s internal security:
Use the DMZ to install new Windows machines and their multitude of updates.

Current statistics from various Internet security firms
indicate that you have about 20 to 30 seconds before something scans an unprotected
machine—and four minutes before an attack occurs. And these figures are
independent of the specific operating system the machine is running.

That doesn’t leave much time to secure a new installation,
but there is a method that can give you an edge. Let’s look at how you can use
a DMZ for installations to better protect your network’s security.

The first item of business is establishing a DMZ off your
network that’s an IP space isolated from the production network. This buffers
business traffic from your “nonsecure” environment.

Next, establish firewall and router access control lists
(ACLs) that only allow required Web traffic out to specific networks. These
networks need to cover only the operating systems and antivirus software that
you plan to install and update at the DMZ installation point. A DNS server that
only resolves requests for Microsoft.com, Sun.com, RedHat.com, and your
antivirus vendor should do the trick.

Think of your DMZ installation point as a clean room, and
make absolutely certain to install a good operating system that’s up to date
and virus-free. Only then should you connect and join the new machine to your
internal network.

Viruses and Trojans can wreak havoc on a protected but open
internal network. Don’t bring a newly infected machine into your environment
without that initial verification. Once you’ve joined the machine to the
network, you can apply a software image as well as your own rigorous internal
security conditions.

Final thoughts

Leaving an unprotected machine plugged into the Internet is
an open invitation to black hats. That’s why setting up a DMZ installation
point is a good exercise in network security resource management.

If your network is large enough and you run a Windows
network, I definitely advocate images and Microsoft Software Update Services
(SUS) to complement the DMZ installation point. The time and money you spend
making and managing images and an update server will always be less than the
time you spend cleaning up after a security incident occurs.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.