Network Computingwww.networkcomputing.com

The primary role of a DMZ is to mitigate risks associated with offering services to untrusted clients. A DMZ accomplishes this by providing network-level protection for your hosting environment, as well as segregating public hosting facilities from your private network infrastructure.

For example, if you're hosting a Web site, anyone with a browser can connect to it. Without a DMZ configuration, your hosting systems reside either outside your firewall (exposed to the Internet) or on a network segment in your internal network. The former scenario leaves your Web-hosting environment open to all attacks. The latter could lead to attacks against other internal, more critical systems should your Web-hosting systems be compromised. A DMZ lets you protect your Internet servers while safeguarding your mission-critical internal systems.

DMZs also play a role in securing other services inside the enterprise: those systems and data--HR or payroll records, for example--that should be available only to certain staff members. Because a relatively small population needs access to this data, you can segregate these systems to improve security.

An internal DMZ is ideal for the self-service HR intranet we mentioned. The DMZ lets you protect both the Web application server and the critical database systems (see "Secure DMZ Configuration"). This is because you need to allow only HTTP/HTTPS traffic into the DMZ Web server and database network traffic (such as SQLnet) from the DMZ Web server to the HR database system.

In most enterprises the perception is that a firewall provides a hardened perimeter. However, the security of internal networks and hosts is usually very soft. In such an environment, a non-DMZ system that is offering services to the Internet creates the opportunity to leapfrog to other hosts in the soft interior of your network. In this scenario your internal network is fair game for any attacker who manages to penetrate your so-called hard perimeter. Given the vulnerabilities and exploits available, it is safe to assume that your perimeter will be breached. It's only a question of when and how (see "Anatomy of a Network Intrusion," October 18, 1999).

One approach is to put into a DMZ hosts that do not contain sensitive data but instead proxy access to the data. This can occur via an application interface, such as a Web site, or via a network protocol reverse proxy, such as HTTP or SQLnet. This separation of data from the application layer within the network provides an additional level of security, because a compromise of the DMZ system doesn't directly expose the internal systems that house business-critical data to network attacks. Now an attacker has an additional barrier to overcome once an initial penetration has been successful. And you have more time to respond to the attack before critical data is compromised.

Host Hardening

A DMZ configuration provides a natural layer for the implementation of additional security measures, such as host hardening and network or host-based intrusion detection. Host hardening is the process of configuring host systems so they are more secure than the default configuration, which typically is sorely lacking in security. Implementing host security raises an attack's difficulty and cost.

As an IT administrator, you may not be able to require that all systems deployed in an enterprise meet strict hardened security requirements. However, you may be able to insist on such requirements for DMZ-based systems and business-critical back-end systems, because they are a small subset of existing systems and there is a general understanding that they are exposed to higher risks than are general-purpose internal systems. Also, the effort in managing and maintaining this special high-security configuration is relatively low, because it comprises a small number of systems.

Border Patrol

A DMZ configuration with intrusion detection can add significant security benefits. As noted, the DMZ buys time for administrators to respond to an attack, because the attack is segregated from internal systems by your network-access controls. Your high-value data and systems are elsewhere, so the attacker must spend time finding a way out of your DMZ and into them. This "time-based" security lets you protect business-critical systems and data through the use of monitoring and response procedures. The key is to make sure you have properly tuned your IDS systems and that your incident-response procedures are well-defined and communicated.

Limit Egress Traffic

A DMZ also can limit outbound access to extranets or the Internet. A DMZ restricts outbound access from a DMZ host, increasing the security of your internal systems and preventing an intruder from using your network as a launching pad for attacks against others. If your DMZ allows only essential outbound traffic, the chance that your compromised system will be used to attack a third party or your internal system will be greatly reduced.

The key to realizing a DMZ's benefits is to understand that it is only part of a comprehensive program for defense in depth. The value of a DMZ can be increased through intrusion-detection systems and host-based security measures. This combination of controls and monitoring technologies can go a long way to mitigating the risks associated with providing broad access to business-critical data.

Brooke Paul is vice president of AFG Technology Division, part of American Financial Group. His duties include information security program management for AFG. Send your comments on this article to him at bpaul@nwc.com. The opinions expressed here represent the author's opinions and not necessarily those of AFG, its affiliates or subsidiaries.