Install new machines in a DMZ for better security

Current statistics indicate that you have about 20 to 30 seconds before something scans an unprotected machine—and four minutes before an attack occurs. That doesn't leave much time to secure a new installation. Mike Mullins explains how setting up new machines in a demilitarized zone (DMZ) on your network can help protect your overall network security.

The demilitarized zone (DMZ) feature of a network offers many traditional and nontraditional uses. Typically, a DMZ is a separate port (or ports) off a firewall that has a different network subnet. You can use a DMZ to host services for public use that don't require connectivity to an internal network.

Chances are good that your organization already has a DMZ on its network that hosts public Web or FTP servers. While this is a good use, DMZ functionality offers an even better use for an organization's internal security: Use the DMZ to install new Windows machines and their multitude of updates.

Current statistics from various Internet security firms indicate that you have about 20 to 30 seconds before something scans an unprotected machine—and four minutes before an attack occurs. And these figures are independent of the specific operating system the machine is running.

That doesn't leave much time to secure a new installation, but there is a method that can give you an edge. Let's look at how you can use a DMZ for installations to better protect your network's security.

The first item of business is establishing a DMZ off your network that's an IP space isolated from the production network. This buffers business traffic from your "nonsecure" environment.

Next, establish firewall and router access control lists (ACLs) that only allow required Web traffic out to specific networks. These networks need to cover only the operating systems and antivirus software that you plan to install and update at the DMZ installation point. A DNS server that only resolves requests for,,, and your antivirus vendor should do the trick.

Think of your DMZ installation point as a clean room, and make absolutely certain to install a good operating system that's up to date and virus-free. Only then should you connect and join the new machine to your internal network.

Viruses and Trojans can wreak havoc on a protected but open internal network. Don't bring a newly infected machine into your environment without that initial verification. Once you've joined the machine to the network, you can apply a software image as well as your own rigorous internal security conditions.

Final thoughts

Leaving an unprotected machine plugged into the Internet is an open invitation to black hats. That's why setting up a DMZ installation point is a good exercise in network security resource management.

If your network is large enough and you run a Windows network, I definitely advocate images and Microsoft Software Update Services (SUS) to complement the DMZ installation point. The time and money you spend making and managing images and an update server will always be less than the time you spend cleaning up after a security incident occurs.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Editor's Picks

Free Newsletters, In your Inbox