A DMZ network, named after the demilitarized area that sits between two areas controlled by opposing forces or nations, is a subnetwork on an organization’s network infrastructure that is located between the protected internal network and an untrusted network (often the Internet). An organization’s DMZ network contains public-facing services and is designed to help protect the internal networks.
A DMZ is designed to provide a location for services that belong to an organization but are less trusted or more exposed to compromise. Examples of systems that are commonly deployed on a DMZ include:
All of these systems must be publicly accessible. However, they all are also potentially vulnerable to being compromised (such as exploitation of web application vulnerabilities) or could be used in an attack, like the use of DNS for Distributed Denial of Service (DDoS) attack amplification.
A DMZ enables an organization to expose Internet-facing functionality without placing the rest of their internal systems at risk. While systems located on the DMZ may have access to internal systems and sensitive data – such as the customer data stored on databases and used by web applications – connections between these DMZ-based systems and internal systems undergo additional inspection for malicious content.
A DMZ is an isolated subnetwork within an organization’s network. The DMZ is defined by two strict segmented boundaries: one between the DMZ and the untrusted outside network (i.e. the Internet) and one between the DMZ and the trusted internal network.
These boundaries between the DMZ and other networks are strictly enforced and protected. An organization will deploy firewalls at both of the DMZ’s boundaries. These next-generation firewalls (NGFWs) inspect all traffic crossing the network boundary and have the ability to detect and block malicious content before it crosses the boundary from the Internet to the DMZ or from the DMZ to the protected internal network.
These network firewalls are essential to the security of the DMZ because they have the ability to enforce access controls between the DMZ and internal systems. These access controls are essential to minimizing the potential that a compromised system will place internal systems at risk and that an attacker can move laterally from a compromised system on the DMZ throughout the network.
While a firewall is all that is required to define a DMZ’s boundaries, an organization can deploy additional defenses on these boundaries as well. Depending on the services implemented within the DMZ, an organization may wish to deploy a web application firewall (WAF), email scanning solution, or other security controls to provide targeted protection to the deployed services.
Implementing a DMZ enables an organization to define multiple different levels and zones of trust within its network. This provides a number of benefits to an organization, including:
A DMZ provides an organization with an additional level of protection between an organization’s internal network and the public Internet. By isolating potentially vulnerable systems on a DMZ, an organization decreases risk to its internal systems.
However, a DMZ is only useful if the firewalls defending its boundaries are capable of detecting potential threats and implementing strong access controls. To learn what to look for in a NGFW, check out this buyer’s guide. You’re also welcome to check out this demo to see how Check Point NGFWs can improve your network security.