Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

What is the role of the DMZ in network architecture?

user-image
Question added by Kirby Carl Lapaz , Info Tech , Gaisano Capital Group of Company
Date Posted: 2016/11/23
AbdAlrahman Fouda
by AbdAlrahman Fouda , Technical Office Engineer , BAUD Telecom Company (BTC)

Is a physical or logical sub network that separates an internal local area network from other untrusted networks

Kirby Carl Lapaz
by Kirby Carl Lapaz , Info Tech , Gaisano Capital Group of Company

 DMZ - demilitarized zone, a part of network security. it a physical or logical subnetwork  that limit or serve only external and/or unstrusted network.

Kasiananthan C CRISC CISA CEH
by Kasiananthan C CRISC CISA CEH , Technology Risk and Controls , BA Continuum India Private Limited (Bank of America Subsidiary)

Predominantly to reduce exposure of your internal network. Public facing assets/apps can be placed in DMZ.

imran imran
by imran imran , Network Support Engineer , Trimax IT Infrastructure & services Ltd.

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical subnetwork that contains and exposes an organization's external-facing services to a usually larger and untrusted network, usually the Internet.

 

Hosts in the DMZ are permitted to have only limited connectivity to specific hosts in the internal network, as the content of DMZ is not as secure as the internal network. Similarly communication between hosts in the DMZ and to the external network is also restricted, to make the DMZ more secure than the Internet, and suitable for housing these special purpose services. This allows hosts in the DMZ to communicate with both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients, and another firewall would perform some level of control to protect the DMZ from the external network.

A DMZ configuration provides security from external attacks, but it typically has no bearing on internal attacks such as sniffing communication via a Packet analyzer or spoofing such as e-mail spoofing.

Deleted user
by Deleted user

In most computer networks, the most vulnerable components are those computer hosts that are responsible for providing end-user services such as web, DNS (Domain Naming System), and email servers. Due to the odds of one of these servers becoming compromised through published or newly discovered exploits, when employing the DMZ concept they are configured to reside within their own sub-network. This allows the remainder of the network to be protected if a rogue actor or hacker is able to succeed in attacking any of the servers.

Any computer host that is placed in the DMZ will have limited connectivity to other hosts that solely reside within the internal network. The DMZ does permit communication across hosts located within the DMZ and to the external network or Internet. This aspect of the DMZ allows servers to provide services to both the external and internal networks. In this configuration, a computer firewall is used to monitor and control the network traffic between the servers located within the DMZ and internal network client computers. Unfortunately,  DMZ Configuration will not provide much if any protection against internal network attacks such as email spoofing or network traffic analysis or packet sniffing.

rajab asfour
by rajab asfour , network security section head , royal hashemite court

in short you use a DMZ to place similar internet exposed services in one block

for example you place your the HTTP, FTP, SFTP, VOIP, reverse proxy etc.. in one network

you allow internet users to access this one network on which you place all your published services and block inbound internet traffic to the rest of your internal networks 

thereby limiting any damage from spreading from a published service to your internal assets

 like your databases for example

 

Mohamed Abdellateef
by Mohamed Abdellateef , Network Engineer , ُESSBC

Any service that is being provided to users on the Internet should be placed in the DMZ. The most common of these services are: Web, Mail, DNSFTP, and VoIP. The systems running these services in the DMZ are reachable by hackersand cybercriminals around the world and need to be hardened to withstand constant attack. The term DMZ comes from the geographic buffer zone that was set up between North Korea and South Korea at the end of the Korean War. A DMZ is now often referred to as a perimeter network.

There are various ways to design a network with a DMZ. The two most common methods are with a single or dual firewalls. These architectures can be expanded to create very complex architectures depending on the network requirements. A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. Different sets of firewall rules for traffic between the Internet and the DMZ, the LAN and the DMZ, and the LAN and the Internet tightly control which ports and types of traffic are allowed into the DMZ from the Internet, limit connectivity to specific hosts in the internal network, and prevent unrequested connections either to the Internet or the internal LAN from the DMZ.

Deleted user
by Deleted user

It is a network design, demilitarized zones are logical network segmentation for neutrally trusted nodes which are lying between most trusted and least trusted networks.

Nasir Ali
by Nasir Ali , ITSM Manager , Confidential

In computer networks, a DMZ (demilitarized zone) is a physical or logical sub-network that separates an internal local area network (LAN) from other untrusted networks, usually the Internet. External-facing servers, resources and services are located in the DMZ so they are accessible from the Internet but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the Internet.

 

Any service that is being provided to users on the Internet should be placed in the DMZ. The most common of these services are: Web, Mail, DNS, FTP, and VoIP. The systems running these services in the DMZ are reachable by hackers and cyber criminals around the world and need to be hardened to withstand constant attack. 

More Questions Like This