The best example of a demilitarized zone (DMZ) today is a heavily guarded strip of land in Korea. It's the area on either side of the boundary between North Korea and South Korea that's intended to keep each nation from accidentally starting a war with the other. In computing, a DMZ is similar in concept in that it provides a place that keeps the untrusted world of the internet out of your organization's internal network, while still offering services to the outside world. For a long time, any IT professional building almost any kind of internet-connected network put together a DMZ as a matter of course. But the cloud has changed all that.
Continue Reading Below
The reason is that the cloud has obviated the need for most companies to host their own web servers. Back in the day, if you had an in-house web server that was open to the public, then you'd want that server to live in your DMZ. Likewise, you'd have wanted your email server there, and any other outward-facing servers, such as your remote access gateway, an authentication server, proxy server, or perhaps even a Telnet server. These are all devices that must be accessible from the internet but which provide services from your organization. Today, of course, most companies use hosted email providers along with deploying Software-as-a-Service (SaaS) applications that make housing externally-facing web servers in your data closet unnecessary.
Enterprise additional security measures taken 2017
If you've still got a DMZ in operation, then you'll find it's a typical example of network segmentation. Look closely and you'll generally find some combination of firewalls and routers. In most cases, the DMZ will be created by an edge security device (usually a firewall) that's then backed up by another router or firewall guarding the gates to the internal network.
While most organizations no longer need a DMZ to protect themselves from the outside world, the concept of separating valuable digital goodies from the rest of your network is still a potent security strategy. If you apply the DMZ mechanism on an entirely internal basis, then there are still use cases that makes sense. One example is protecting access to valuable data stores, access control lists, or similar treasure troves; you'll want any potential unauthorized users to jump through as many additional hoops as possible before they gain access.
How a DMZ Works
A DMZ works like this: There will be an edge firewall that faces the horrors of the open internet. After that will be the DMZ and another firewall that protects your company local area network (LAN). Behind that firewall will be your internal network. By adding this extra in-between network, you can implement additional security layers that malcontents will need to defeat before they can get to your actual internal network—where everything is presumably also covered not only by network access controls but endpoint protection suites, too.
In between the first firewall and the second, you'll normally find a switch that provides a network connection to the servers and devices that need to be available to the internet. The switch also provides a connection to the second firewall.
The first firewall should be configured to only allow traffic that needs to reach your internal LAN and the servers in the DMZ. The internal firewall should allow traffic only through specific ports that are necessary for the operation of your internal network.
In the DMZ, you should configure your servers to only accept traffic on specific ports and to accept only specific protocols. For example, you will want to limit traffic on Port 80 to HyperText Transfer Protocol (HTTP) only. You'll also want to configure those servers so that they run only the services necessary for them to function. You may also want to have an intrusion detection system (IDS) monitor activity on the servers in your DMZ so that a malware attack that makes it through the firewall can be detected and stopped.
The internal firewall should be a next-generation firewall (NGFW) that performs inspections of your traffic that goes through the open ports in your firewall and also looks for indications of intrusions or malware. This is the firewall that's protecting the crown jewels of your network so it's not the place to skimp. Makers of NGFWs include Barracude, Check Point, Cisco, Fortinet, Juniper, and Palo Alto, among others.
Ethernet Ports as DMZ Ports
For smaller organizations, there's another less costly approach that will still provide a DMZ. Many home and small business routers include a function that allows you to designate one of the Ethernet ports as a DMZ port. This allows you to put a device such as a web server on that port where it can share your IP address but also be available to the outside world. Needless to say, this server should be as locked down as possible and have only absolutely necessary services running. To flesh out your segment, you can attach a separate switch to that port and have more than one device in the DMZ.
The downside to the use of such a designated DMZ port is that you have only one point of failure. Even though most of these routers also include an embedded firewall, they generally don't include the full feature set of a NGFW. In addition, if the router is breached, then so is your network.
While a router-based DMZ does work, it's probably not as secure as you want it to be. At the very least, you might want to consider adding a second firewall behind it. This will cost a little extra but it won't cost nearly as much as a data breach will. The other major consequence with such a setup is that it's more complex to administer and, considering that the smaller companies that might use this approach typically don't have an IT staff, you may want to engage a consultant to set this up and then manage it from time to time.
A Requiem for the DMZ
As mentioned previously, you won't find too many DMZ still running in the wild. The reason is that the DMZ was intended to fill a function that today is being handled in the cloud for the vast majority of business functions. Every SaaS app you deploy and every server you host all move externally-facing infrastructure out of your data center and into the cloud, and DMZs have gone along for the ride. It means you can pick a cloud service, launch an instance that includes a web server, and protect that server with the cloud provider's firewall and you're set. No need to add a separately configured network segment to your internal network since everything is happening elsewhere anyhow. Plus, those other functions that you might use with a DMZ are also available in the cloud, and by going that way, you'll be even safer.
Still, as a general security tactic, it's an entirely viable measure. Creating a DMZ-style network segment behind your firewall brings the same benefits as it did when you used to squash one between your LAN and the internet: another segment means more protection you can force the bad guys to have to penetrate before they can get to what they really want. And the more they have to work, the longer you or your threat detection and response system have to spot them and react.