Demilitarized Zone (DMZ) in computer networking

Demilitarized Zone (DMZ) in computer networking

• 1.
  SECURITY TOPOLOGIES • DMZ •Internet Zone • Intranet Zone
• 2.
  General Framework
• 3.
  1. What isa DMZ (Demilitarized Zone)? • A DMZ is a computer network that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet • Also known as a – Data Management Zone or – Demarcation Zone – Perimeter Network
• 4.
  Typical components ofDMZ network • Web servers that need to be made available to the general public, such as company's primary Web presence advertising its products or services. • Public DNS servers that resolve the names in your domain for users outside your organization to the appropriate IP addresses. • Public FTP servers on which you provide files to the public – Downloads of your product manuals or – Software drivers • Anonymous SMTP relays that forward e- mail from the Internet to internal mail server(s) • Servers running h complex e-commerce Internet and extranet applications • Proxy Servers
• 5.
  Split Configurations • Mailservices can be split between servers on the DMZ and the internal network. – Internal mail server handles e-mail from one computer to another on the internal network. – Mail that comes in or is sent to computers outside the internal network over the Internet is handled by an SMTP gateway located in the DMZ. • For e-commerce systems – Front-end server, directly accessible by Internet users is in the DMZ, – Back-end servers that store sensitive information are on the internal network.
• 6.
  DMZ with twofirewalls • DMZ that uses two firewalls, called a back to back DMZ. • An advantage of this configuration is that you can put a fast packet filtering firewall/router at the front end (the Internet edge) to increase performance of your public servers, • Place a slower application layer filtering (ALF) firewall at the back end (next to the corporate LAN) to provide more protection to the internal network without negatively impacting performance for your public
• 7.
  Tri-homed DMZ • Whena single firewall is used to create a DMZ, it's called a trihomed DMZ. • The firewall computer or appliance has interfaces to three separate networks: – The internal interface to the trusted network (the internal LAN) – The external interface to the untrusted network (the public Internet) – The interface to the semi- trusted network (the DMZ)
• 8.
  Creating a DMZInfrastructure • Two important characteristics of the DMZ are: • A different network ID from the internal network – A DMZ can use either public or private IP addresses, depending on its architecture • subnet the IP address block that is assigned by your ISP • If using private IP addresses for the DMZ, a Network Address Translation (NAT) device will be required • It is separated from both the Internet and the internal network by a firewall
• 9.
  Security of DMZ •The level of security within the DMZ also depends on the nature of the servers that are placed there. We can divide DMZs into two security categories: • DMZs designed for unauthenticated or anonymous access • DMZs designed for authenticated access
• 10.
  Host Security onthe DMZ • Be sure to set strong passwords and use RADIUS or other certificate based authentication for accessing the management console remotely. • To allow you to manage the router through a Web page, it runs an HTTP server. It is a good security practice to disable the HTTP server, as it can serve as a point of attack an use a HTTPS.
• 11.
  Example Network
• 12.
  Limit Traffic allowedinto corporate network • traffic can be allowed into the corporate network must be limited. • Traffic entering the corporate network will be coming from either the Internet or the DMZ. • Allow all traffic that originated from the corporate network can be allowed back into that network. No other traffic is desired into the corporate network 10.1.1.1/24 10.10.10.1/24 172.16.2.0/24
• 13.
  Deter Spoofing 10.1.1.1/24 10.10.10.1/24 172.16.2.0/24 • Spoofing- A common method to attempt to forge a valid internal source IP addresses. • To deter spoofing, it is decided to configure an access list so that Internet hosts cannot easily spoof an internal network addresses. • Three common source IP addresses that hackers attempt to forge are valid internal addresses (e.g., 10.10.10.0), loopback addresses (i.e.,127.x.x.x), and multicast addresses (i.e., 224.x.x.x – 239.x.x.x).
• 14.
  2. INTERNET ZONE •The internet is the name given to the entire public network which provides the infrastructure for the transfer of data between remote points. • Such data can take the form of email, web pages, files, multi-media and just about anything else that exists in digital form. • Every computer in internet is identified by IP Address. • A Special computer DNS is used to give name to the IP address.
• 15.
  INTRANET ZONE • Anintranet can be described as a mini-internet build within the safety of a secure networking environment. • Intranets are typically used to provide internal corporate web sites for employee only access. • Because the intranet servers have internal, private IP addresses and reside behind firewalls they are generally not accessible to the outside world. • If external access is needed to an intranet this is best achieved through the implementation of a Virtual Private Network (VPN).
• 16.
  VLAN • Virtual localarea networks • A way of dividing a single physical network switch among multiple network segments or broadcast domains. • Ability to configure multiple LANs on a single switch • Trunk – allows switches to share many VLANs over a single physical link • Routers needed to make different VLANs talk