Wednesday, May 12, 2010
Demilitarized zone (DMZ)
A Demilitarized zone (DMZ) is an area where you can place a public server for access bypeople you might not trust otherwise. By isolating a server in a DMZ, you can hide or
remove access to other areas of your network. You can still access the server using your network,but others aren't able to access further network resources. This can be accomplished using firewalls to isolate your network.
When establishing a DMZ, you assume that the person accessing the resource isn't necessarily someone you would trust with other information. Figure 1.13 shows a server placed in a DMZ. Notice that the rest of the network isn't visible to external users. This lowers the threat of intrusion in the internal network.The easiest way to create a DMZ is to use a firewall that can transmit in three directions:Tip:Anytime you want to separate public information from private information,a DMZ is an accceptable option.
to the internal network, to the external world (Internet), and to the public information you’re
sharing (the DMZ). From there, you can decide what traffic goes where; for example, HTTP
traffic would be sent to the DMZ, and e-mail would go to the internal network.
Security Zones:Exteranet
An extranet is illustrated in the figure above. Note that this network provides a connection
between the two organizations. The connection may be through the Internet; if so, these
networks would use a tunneling protocol to accomplish a secure connection.
Security Zones:Interanet
Intranets are private networks implemented and maintained by an individual company or
organization. You can think of an intranet as an Internet that doesn't leave your company;
it's internal to the company, and access is limited to systems within the intranet. Intranets use the same technologies used by the Internet. They can be connected to the Internet but can't be accessed by users who aren't authorized to be part of them; the anonymous user of the Internet is instead an authorized user of the intranet. Access to the intranet is granted to trusted users inside the corporate network or to users in remote locations.
Security Zones:The Internet
Security Zones
Over time, networks can become complex beasts. What may have started as a handful of computers sharing resources can quickly grow to something resembling an electrician's nightmare. The networks may even appear to have lives of their own. It's common for a network to have connections among departments, companies, countries, and public access using private communication paths and through the Internet.
Not everyone in a network needs access to all the assets in the network. The term security zone describes design methods that isolate systems from other systems or networks.
You can isolate networks from each other using hardware and software. A router is a good example of a hardware solution: You can configure some machines on the network to be in a certain address range and others to be in a different address range. This separation makes the two networks invisible to each other unless a router connects them. Some of the newer data switches also allow you to partition networks into smaller networks or private zones.
When discussing security zones in a network, it's helpful to think of them as rooms.
You may have some rooms in your house or office that anyone can enter. For other rooms,access is limited to specific individuals for specific purposes. Establishing security zones is a similar process in a network: Security zones allow you to isolate systems from unauthorized users. Here are the four most common security zones you'll encounter:
- Internet
- Intranet
- Extranet
- Demilitarized zone (DMZ)
The next few posts identify the topologies used to create security zones to provide
Security. The Internet has become a boon to individuals and to businesses, but it creates a challenge for security. By implementing intranets, extranets, and DMZs, you can create a reasonably secure environment for your organization.