DMZ (computing)

A demilitarized zone (DMZ, also unlocked or demilitarized zone ) refers to a computer network with safety- controlled access facilities on the servers connected to it.

The factors set out in the DMZ systems are shielded by one or more firewalls against other networks ( eg Internet, LAN). This separation can be protected from outside access to publicly available services ( bastion hosts such as e- mail, WWW, etc.) and at the same time allows the internal network (LAN) from unauthorized access.

The purpose is to make possible to secure basic services of a computer network both to the WAN (Internet ) and LAN (intranet ) available.

Their protective effect develops a DMZ through the insulation of a system of two or more networks.

Safety aspects

In Germany, the BSI recommends a two-tier firewall concept to the Internet in its IT baseline protection catalogs. In this case, a firewall separates the Internet from the DMZ and another firewall between the DMZ from the internal network. Compromised by a single weak point not equal to the internal network. In the ideal case, the two firewalls from different manufacturers, as otherwise a known vulnerability would be sufficient to overcome both firewalls.

The filter functions can be handled by a single device but quite; In this case, the filtering system requires at least three network ports: one each for the two to be connected to network segments ( eg WAN and LAN), and a third for the DMZ (see also dual -homed host).

Even if the firewall protects the internal network from attacks of a compromised server from the DMZ, the other servers in the DMZ are directly vulnerable unless additional protective measures are taken. This could be a segmentation into VLANs, for example, or software firewalls on each server, discard all packets from the DMZ network.

A connection should in principle always be from the internal network to the DMZ, never out of the DMZ. In the internal network A common exception to this is the access from the DMZ to the database server on the internal network. As a last instance on that principle wakes usually the firewall administrator before the rule - activation. Thus the hazard potential of a compromised server in the DMZ is reduced largely to attacks:

  • Directly on the inner firewall,
  • To another server in the same DMZ and
  • Vulnerabilities in administration tools, such as Telnet or SSH.
  • To compounds which have been set up regularly in the DMZ.

More versions

Exposed Host as "pseudo - DMZ "

Some routers for home use denote the configuration of an Exposed Host incorrectly as "DMZ". Here you can specify the IP address of a computer on the internal network will be forwarded to all the packets from the Internet that can not be assigned to another receiver via the NAT table. Thus, the host is reachable ( for potential attackers ) from the Internet. A port forwarding the ports actually used is the preferable if possible.

It depends on the specific configuration of the firewall, whether initially the port forwarding are taken into account to another computer and only after the exposed host, or whether the exposed host makes the port forwarding ineffective on other computers.

Dirty DMZ

When dirty or dirty DMZ net is called in general the network segment between the perimeter router and the firewall of the ( internal ) LAN. This zone has from the outside only the restricted security of the perimeter router. This version of the DMZ provides a performance gain because the incoming data simply ( perimeter router ) must be filtered.

Protected DMZ

With protected DMZ is called a DMZ, which depends on a separate LAN interface of the firewall. This DMZ has the individual security of the firewall. Many firewalls have multiple LAN interfaces to set up multiple DMZs.