A dedicated DMZ is an implementation of a specific DMZ network scenario as a solution. Most DMZ implementations are dedicated in that sense, i.e. they serve a purpose and the people who designed it had a solution concept in mind for solving a problem.
A DMZ should not be dumping ground for placing everything else that cannot be placed elsewhere. However, that happens too often – unfortunately. This is the reason why it makes sense to be more specific when using the term “DMZ”. The simple fact of attaching a label to it regarding its purpose helps to clarify usage and expectations.
A dedicated DMZ scenario should be aligned with the requirements of applications and services which are placed within – and vice versa. Security requirements and expectations of all stakeholders should match during the whole life-cyle of an implementation.
2016/02/05 © ACROSEC Inc.
There are many ways how to implement a DMZ. Following details should be considered when building a DMZ:
- Clarify the purpose of the DMZ first before choosing a particular design
- Choose between a dual homed or single homed DMZ design
- The number of network segments in a DMZ, e.g. external facing network, internal facing network, additional networks for dedicated purpose
- Design how to do systems management of DMZ infrastructure and application servers, e.g. via dedicated management interfaces
- How many switches to use (sharing hardware like switches for external and internal segments is a security risk – thanks André for this)
- Decide which DMZ elements to virtualize and what to have physical
- Which network or infrastructure services to implemented separately (reusing internal DNS, AD etc. is a security risk)
- Design policies of how to use the DMZ and clarify ownership responsibilities
- Design change management procedures and oversight responsibilities for the DMZ
- etc.
Note: This list is not exhausting.
Note: A dual homed DMZ design has 2 firewalls (external and internal). Single homed DMZ designs have only 1 firewall (Quick and cheap approach, higher risk of exposure).
2016/02/05 © ACROSEC Inc.
“Many technical details” could be the short answer to this question. However, it makes sense to lift the discussion to following level:
- Purpose: Usually used at boundaries (network perimeter or internal network) in order to offer gateway connectivity services between differently trusted areas. Can also be used to build trust structures within the internal network. Purpose should be documented or definied in policies.
- Current configuration: Degree of virtualization, number of segments, connectivity on each layer, firewall rules, direction of connection establishment, protocol capabilities, available network services within a DMZ, proxies and gateways, applications and servers.
- Actual use of it: Currently involved applications, services and data (therefore need to understand classification of involved data and services).
- Expectation match (or degree of missmatch): Expectations of all involved stakeholders of setup and actual use should match if the intention is to maintain security or another important purpose. Maintaining consistency over the life-cycle of involved implementations requires governance oversight and thorough change management procedures across many involved components.
A DMZ (demilitarized zone) is in IT a special network zone which is normally placed between other network zones of different trust level. Most frequently it is used at the perimeter boundary in order to place external facing servers, i.e. web servers. However, a DMZ can be used in many different ways, also within the internal network. It is basically purpose, configuration and its use that defines if a DMZ is a dangerous no-go area or a trusted security zone.
Furthermore, there are multiple ways how to look at such DMZ network zones. The usual and obvious way is to look at it from the technical perspective because it is a technical subject belonging to network administration and to some security specialists. It is also a topic full of pitfalls as many technical details on many components need to be considered from multiple angles. The sum of these details will make the difference between security failure and success of a DMZ environement.
2016/02/05 © ACROSEC Inc.