When a guest pays us a visit, the first room they see would be the Drawing Room or Living Room. They are not directly entertained into the deeper secrets of the house such as our Bedrooms.
There is a very similar setting in Organizational Networks. The Drawing Room of the Organizational Network, called the “De-Militarized Zone”.
This zone hosts the Public Facing Part of our network and separates them from the Internal LAN.
The public facing part may consist of our Web Servers, DNS Servers, FTP Servers, Proxy Servers.
A DMZ is connected to Internet via a Public IP and to the organizational Intranet via Private IP.
Each side is protected by a Firewall.
The Demilitarized zone can also be equipped with security controls that help prevent/detect/trap the malicious actors.
This will not only prevent the attacker from entering the Internal Network, but also allow us more reaction time before our internal systems are compromised.
DMZ are also hosted on Virtual Machines. The Virtual Machine is connected to the internet on one network and to the internal LAN on another Network.
Similarly, the use of Containers for DMZ.
With Cloud, now many DMZ are directly hosted on the cloud while the internal server is hosted in-premises.
The functions that are served by employing a DMZ are:
- Host Public facing Services
- Isolate the internet from the internal server
- Reduce Access to outsiders
Isolation of Public facing services is an obvious advantage obtained from DMZ. This helps decrease the threat surface.
The other advantages obtained using DMZ are:
- Greater control over network, packet flow
- Prevents Reconnaissance. When attackers run reconnaissance attempts on our system, only the DMZ is compromised. Internal servers are never reached.
- Increases Time for us to React.