SolutionBase: Strengthen network defenses by using a DMZ

Nations seperate armies through the use of a DMZ, or demilitarized zone. You can seperate your network and users from the threats faced on the Internet by deploying a DMZ as well. Here's what you need to know about how a DMZ works.

The concept of the DMZ, like many other network security concepts, was borrowed from military terminology. Geopolitically, a demilitarized zone (DMZ) is an area that runs between two territories that are hostile to one another or two opposing forces' battle lines. The term was first widely used to refer to the strip of land that cuts across the Korean peninsula and separates the North from the South. In computer networking, the DMZ likewise provides a buffer zone that separates an internal network from the often hostile territory of the Internet. Sometimes it's called a "screened subnet" or a "perimeter network," but the purpose remains the same.

In this article, we'll look at how the DMZ works and different security architectures for building DMZs. In the second article of this two-part article, we'll talk about what computers should (and shouldn't) be placed in the DMZ and how to monitor DMZ activity.

How the DMZ Works

Unlike the geopolitical DMZ, a DMZ network is not a no-man's land that belongs to nobody. When you create a DMZ for your organization, it belongs to you and is under your control. However, it is an isolated network that's separate from your corporate LAN (the "internal" network). The DMZ uses IP addresses belonging to a different network ID.

If you think of the internal network as the "trusted" network and the external public network (the Internet) as the "untrusted" network, you can think of the DMZ as a "semi-trusted" area. It's not as secured as the LAN, but because it is behind a firewall, neither is it as non-secure as the Internet. You can also think of the DMZ as a "liaison network" that can communicate with both the Internet and the LAN while sitting between the two, as illustrated by Figure A.

Figure A

The DMZ sits between the "hostile" Internet and the internal corporate network

What does this accomplish? You can place computers that need to communicate directly with the Internet (public servers) in the DMZ instead of on your internal network. They will be protected by the outer firewall, although they are still at risk simply because they have direct contact with Internet computers. Because the DMZ is only "semi-secure," it's easier to hack a computer in the DMZ than on the internal network. The good news is that if a DMZ computer does get hacked, it doesn't compromise the security of the internal network, because it's on a completely separate, isolated network.

Why put any computers in this riskier network? Let's take an example: in order to do its job (make your Web site available to members of the public), your Web server has to be accessible to the Internet. But having a server on your network that's accessible from the Internet puts the entire network at risk. There are three ways to reduce that risk:

  • You could pay a hosting company to host your Web sites on their machines and network. However, this gives you less control over your Web servers.
  • You could host the public servers on the firewall computer. However, best security practices say the firewall computer should be dedicated solely to act as a firewall (this reduces the chances of the firewall being compromised), and practically speaking, this would impair the firewall's performance. Besides, if you have a firewall appliance running a proprietary OS, you won't be able to install other services on it.
  • The third solution is to put the public Web servers on a separate, isolated network: the DMZ.

Creating a DMZ Infrastructure

The DMZ is created by two basic components: IP addresses and firewalls. Remember that two important characteristics of the DMZ are:

  1. It has a different network ID from the internal network
  2. It is separated from both the Internet and the internal network by a firewall

IP Addressing Scheme

A DMZ can use either public or private IP addresses, depending on its architecture and firewall configuration. If you use public addresses, you'll usually need to subnet the IP address block that you have assigned to you by your ISP, so that you have two separate network IDs. One of the network IDs will be used for the external interface of your firewall and the other will be used for the DMZ network.

When you subnet your IP address block, you must configure your router to know how to get to the DMZ subnet.

You can create a DMZ within the same network ID that you use for your internal network, by using Virtual LAN (VLAN) tagging. This is a method of partitioning traffic that shares a common switch, by creating virtual local area networks as described in IEEE standard 802.1q. This specification creates a standard way of tagging Ethernet frames with information about VLAN membership.

If you use private IP addresses for the DMZ, you'll need a Network Address Translation (NAT) device to translate the private addresses to a public address at the Internet edge. Some firewalls provide address translation.

Whether to choose a NAT relationship or a routed relationship between the Internet and the DMZ depends on the applications you need to support, as some applications don't work well with NAT.

DMZ Firewalls

When we say that a firewall must separate the DMZ from both the internal LAN and the Internet, that doesn't necessarily mean you have to buy two firewalls. If you have a "three legged firewall" (one with at least three network interfaces), the same firewall can serve both functions. On the other hand, there are reasons you might want to use two separate firewalls (a front end and a back end firewall) to create the DMZ.

Figure A above illustrates a DMZ that uses two firewalls, called a back to back DMZ. An advantage of this configuration is that you can put a fast packet filtering firewall/router at the front end (the Internet edge) to increase performance of your public servers, and place a slower application layer filtering (ALF) firewall at the back end (next to the corporate LAN) to provide more protection to the internal network without negatively impacting performance for your public servers. Each firewall in this configuration has two interfaces. The front end firewall has an external interface to the Internet and an internal interface to the DMZ, whereas the backend firewall has an external interface to the DMZ and an internal interface to the corporate LAN.

When you use a single firewall to create a DMZ, it's called a trihomed DMZ. That's because the firewall computer or appliance has interfaces to three separate networks:

  1. The internal interface to the trusted network (the internal LAN)
  2. The external interface to the untrusted network (the public Internet)
  3. The interface to the semi-trusted network (the DMZ)

The trihomed DMZ looks like Figure B.

Figure B

A trihomed DMZ uses a "three legged" firewall to create separate networks

Even if you use a single trihomed firewall to protect both the DMZ and the internal network, you should be able to configure separate rules for evaluating traffic depending on its origin and destination. That is, there should be separate rules for:

  • Incoming traffic from the Internet to the DMZ
  • Incoming traffic from the DMZ to the internal LAN
  • Incoming traffic from the Internet to the internal network
  • Outgoing traffic from the internal network to the DMZ
  • Outgoing traffic from the internal network to the Internet
  • Outgoing traffic from the DMZ to the Internet

The DMZ actually reduces the complexity of filtering traffic, because you can have one rule for all the computers in the DMZ. If you were hosting the public servers on the internal network, you would need to configure different rules for each hosting server, and you would have to "publish" each server to allow it to be accessed from the Internet.

You'll probably want to block traffic from the Internet to the internal computers. You should also restrict traffic from the DMZ to the internal network, as well as traffic from the Internet to the DMZ. Allow only the traffic that is necessary for your users to access the resources they need. This means using the "principle of least privilege" in that your default is to start by denying all traffic and then allowing protocols and opening ports on a "need to know" basis.

Vendor Support for DMZs

Major hardware and software vendors support the DMZ concept in their products. Cisco routers have multiple LAN ports, one of which is designated as a DMZ port, and the IOS operating system uses Port Address Translation (PAT) to allow traffic to be routed to multiple servers with a single IP address destination. As the name implies, it uses port numbers (such as 80 for the Web server and 25 for the mail server) to distinguish between the multiple servers. This allows you to have multiple public servers without paying for multiple public IP addresses.

Many firewall appliances, such as the SonicWall, come with three Ethernet ports: a LAN port (to connect to the internal network), a WAN port (to connect to the Internet) and a DMZ port (to connect to the network housing your public servers).

Microsoft's ISA Server 2004's multi-networking feature allows you to connect the ISA Server firewall to as many networks as you wish, limited only by the number of network interface cards you can install in the machine. No network is automatically "trusted" in the new ISA model, so you configure security according to the needs of the particular network.

Common DMZ Security Architectures

A DMZ is considered by many to be a "wide open" network, much like the geopolitical DMZ where you risk being shot anytime you set foot inside it. However, all DMZs are not created equal when it comes to the security architecture. Even when you place computers in the DMZ, there are still ways to protect them. The level of security within the DMZ also depends on the nature of the servers that are placed there. We can divide DMZs into two security categories:

  1. DMZs designed for unauthenticated or anonymous access
  2. DMZs designed for authenticated access

If you have a Web server that you want everybody on the Internet to be able to access, (such as a Web presence advertising your company), you'll have to allow anonymous access. You can't easily provide authentication credentials to every stranger who happens upon your site. However, if your Internet-facing servers on the DMZ are used by partners, customers, or employees working off-site, you can require authentication to access them. This makes it more difficult for a hacker to gain access.

The DMZ Honeynet

There is a special use for the anonymous DMZ that's being more popular: creating a "honeynet." This is a network that consists of one or more "honeypot" computers that are designed to lure hackers --either so they can be caught or tracked, or to divert them from the network's real resources. Unlike with other DMZs, you actually want this network to be compromised.

Often the computers on the honeynet are virtual machines that are all installed on a single physical machine, and intrusion detection systems and other monitoring systems are put in place to gather information about the hackers' techniques, tactics and identities.

Host Security on the DMZ

Because the DMZ is a less secure network than the internal network, host security is even more important for the computers that are "out there." The servers on your DMZ should be hardened as much as possible (while maintaining their accessibility to those who need to access them). This means:

  • All unnecessary services should be disabled.
  • Necessary services should be run with the lowest privileges possible.
  • Strong passwords or passphrases should be used.
  • Unnecessary user accounts should be deleted or disabled and default accounts should be disguised by renaming, changing the description, etc.
  • Systems should have the latest security updates and patches applied.
  • Security logging should be enabled (and you should check the logs frequently!)

The Evolution of the DMZ

The definition of "DMZ" is becoming broader, as more uses are found for these "semi-trusted" networks. Today's networks are complex, and security specialists are beginning to realize that the concept of the network "edge" or "perimeter" is outdated; an enterprise network has multiple perimeters. Thus, DMZs may be appropriate at places other than at the edge of the Internet, and large networks can benefit from having multiple DMZs.