Prevention: DMZ Flashcards

1
Q

DMZ

A

DMZs and honeypots are security controls that can help an organization implement the “defense-in-depth” concept, using multiple layers of security to slow down an attacker, giving defenders a chance to detect and eliminate them. Both of these defenses are covered in more detail below.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a DMZ?

A

In computer networks, a DMZ (demilitarized zone) is a physical or logical subnet that separates an internet local area network (aka LAN) from other untrusted networks ( usually the internet ). External-facing servers, resources, and services that are located in the DMZ are directly accessible from the internet, however, this layer will keep the internal LAN unreachable, providing an additional layer of security to the LAN as it restricts a hacker’s ability to directly access internal server and data via the internet.

So what are DMZs used for?

Protect sensitive organizational systems and resources.
Isolate and keep potential target systems separate from internal networks.
Reduce and control access to those systems outside the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

DMZ Systems

A

What services and systems are placed in a DMZ?

Any service provided to users on the public internet should be placed in the DMZ network. Some of the most common of these services include web servers and proxy servers, as well as servers for email, domain name system (DNS), File Transfer Protocol (FTP) and voice over IP (VoIP).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Architecture

A

There are numerous ways to construct a network with a DMZ. The two major methods are a single firewall (sometimes called a three-legged model), or dual firewalls. Each of these systems can be expanded to create complex architectures built to satisfy network requirements.

DMZ Architecture – Single Firewall

A modest approach to network architecture involves using a single firewall, with a minimum of 3 network interfaces. The DMZ will be placed Inside of this firewall. The tier of operations is as follows: the external network device makes the connection from the ISP, the internal (private) network is connected by the second device, and connections within the DMZ is handled by the third network device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

DMZ Architecture – Dual Firewall

A

DMZ Architecture – Dual Firewall

The more secure approach is to use two firewalls to create a DMZ. The first firewall (referred to as the “frontend” firewall) is configured to only allow traffic destined for the DMZ. The second firewall (referred to as the “backend” firewall) is only responsible for the traffic that travels from the DMZ to the internal (private) network. An effective way of further increasing protection is to use firewalls built by separate vendors because they are less likely to have the same security vulnerabilities. While more effective, this scheme can be more costly to implement across a large network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly