The concept of the DMZ, like many other network security
concepts, was borrowed from military terminology. Geopolitically, a
demilitarized zone (DMZ) is an area that runs between two territories that are
hostile to one another or two opposing forces' battle lines. The term was first
widely used to refer to the strip of land that cuts across the Korean peninsula
and separates the North from the South. In computer networking, the DMZ
likewise provides a buffer zone that separates an internal network from the often
hostile territory of the Internet. Sometimes it's called a "screened
subnet" or a "perimeter network," but the purpose remains the
In this article, we'll look at how the DMZ works and
different security architectures for building DMZs. In the second article of
this two-part article, we'll talk about what computers should (and shouldn't)
be placed in the DMZ and how to monitor DMZ activity.
How the DMZ Works
Unlike the geopolitical DMZ, a DMZ network is not a no-man's
land that belongs to nobody. When you create a DMZ for your organization, it
belongs to you and is under your control. However, it is an isolated network
that's separate from your corporate LAN (the "internal" network). The
DMZ uses IP addresses belonging to a different network ID.
If you think of the internal network as the "trusted"
network and the external public network (the Internet) as the "untrusted"
network, you can think of the DMZ as a "semi-trusted" area. It's not
as secured as the LAN, but because it is behind a firewall, neither is it as
non-secure as the Internet. You can also think of the DMZ as a "liaison
network" that can communicate with both the Internet and the LAN while
sitting between the two, as illustrated by Figure A.
|The DMZ sits between the "hostile" Internet and the internal|
What does this accomplish? You can place computers that need
to communicate directly with the Internet (public servers) in the DMZ instead
of on your internal network. They will be protected by the outer firewall,
although they are still at risk simply because they have direct contact with
Internet computers. Because the DMZ is only "semi-secure," it's
easier to hack a computer in the DMZ than on the internal network. The good
news is that if a DMZ computer does get hacked, it doesn't compromise the
security of the internal network, because it's on a completely separate,
Why put any computers in this riskier network? Let's take an
example: in order to do its job (make your Web site available to members of the
public), your Web server has to be accessible to the Internet. But having a
server on your network that's accessible from the Internet puts the entire
network at risk. There are three ways to reduce that risk:
You could pay
a hosting company to host your Web sites on their machines and network.
However, this gives you less control over your Web servers.
You could host the public servers on the
firewall computer. However, best security practices say the firewall computer
should be dedicated solely to act as a firewall (this reduces the chances of
the firewall being compromised), and practically speaking, this would impair
the firewall's performance. Besides, if you have a firewall appliance running a
proprietary OS, you won't be able to install other services on it.
The third solution is to put the public Web
servers on a separate, isolated network: the DMZ.
Creating a DMZ Infrastructure
The DMZ is created by two basic components: IP addresses and
firewalls. Remember that two important characteristics of the DMZ are:
It has a different network ID from the internal
It is separated from both the Internet and the
internal network by a firewall
IP Addressing Scheme
A DMZ can use either public or private IP addresses,
depending on its architecture and firewall configuration. If you use public
addresses, you'll usually need to subnet the IP address block that you have
assigned to you by your ISP, so that you have two separate network IDs. One of
the network IDs will be used for the external interface of your firewall and
the other will be used for the DMZ network.
When you subnet your IP address block, you must configure
your router to know how to get to the DMZ subnet.
You can create a DMZ within the same network ID that you use
for your internal network, by using Virtual
LAN (VLAN) tagging. This is a method of partitioning traffic that shares a
common switch, by creating virtual local area networks as described in IEEE
standard 802.1q. This specification creates a standard way of tagging Ethernet
frames with information about VLAN membership.
If you use private IP addresses for the DMZ, you'll need a
Network Address Translation (NAT) device to translate the private addresses to
a public address at the Internet edge. Some firewalls provide address
Whether to choose a NAT relationship or a routed
relationship between the Internet and the DMZ depends on the applications you
need to support, as some applications don't work well with NAT.
When we say that a firewall must separate the DMZ from both
the internal LAN and the Internet, that doesn't necessarily mean you have to
buy two firewalls. If you have a "three legged firewall" (one with at
least three network interfaces), the same firewall can serve both functions. On
the other hand, there are reasons you might want to use two separate firewalls
(a front end and a back end firewall) to create the DMZ.
Figure A above illustrates a DMZ that uses two firewalls,
called a back to back DMZ. An
advantage of this configuration is that you can put a fast packet filtering
firewall/router at the front end (the Internet edge) to increase performance of
your public servers, and place a slower application layer filtering (ALF)
firewall at the back end (next to the corporate LAN) to provide more protection
to the internal network without negatively impacting performance for your
public servers. Each firewall in this configuration has two interfaces. The
front end firewall has an external interface to the Internet and an internal
interface to the DMZ, whereas the backend firewall has an external interface to
the DMZ and an internal interface to the corporate LAN.
When you use a single firewall to create a DMZ, it's called
a trihomed DMZ. That's because the
firewall computer or appliance has interfaces to three separate networks:
The internal interface to the trusted network
(the internal LAN)
The external interface to the untrusted network
(the public Internet)
The interface to the semi-trusted network (the
The trihomed DMZ looks like Figure B.
|A trihomed DMZ uses a "three legged" firewall to create separate|
Even if you use a single trihomed firewall to protect both
the DMZ and the internal network, you should be able to configure separate
rules for evaluating traffic depending on its origin and destination. That is,
there should be separate rules for:
Incoming traffic from the Internet to the DMZ
Incoming traffic from the DMZ to the internal
- Incoming traffic from the Internet to the
- Outgoing traffic from the internal network to
- Outgoing traffic from the internal network to
- Outgoing traffic from the DMZ to the Internet
The DMZ actually reduces the complexity of filtering
traffic, because you can have one rule for all the computers in the DMZ. If you
were hosting the public servers on the internal network, you would need to
configure different rules for each hosting server, and you would have to "publish"
each server to allow it to be accessed from the Internet.
You'll probably want to block traffic from the Internet to
the internal computers. You should also restrict traffic from the DMZ to the
internal network, as well as traffic from the Internet to the DMZ. Allow only
the traffic that is necessary for your users to access the resources they need.
This means using the "principle of least privilege" in that your
default is to start by denying all traffic and then allowing protocols and
opening ports on a "need to know" basis.
Vendor Support for DMZs
Major hardware and software vendors support the DMZ concept
in their products. Cisco routers have multiple LAN ports, one of which is
designated as a DMZ port, and the IOS operating system uses Port Address
Translation (PAT) to allow traffic to be routed to multiple servers with a
single IP address destination. As the name implies, it uses port numbers (such
as 80 for the Web server and 25 for the mail server) to distinguish between the
multiple servers. This allows you to have multiple public servers without
paying for multiple public IP addresses.
Many firewall appliances, such as the SonicWall, come with
three Ethernet ports: a LAN port (to connect to the internal network), a WAN
port (to connect to the Internet) and a DMZ port (to connect to the network
housing your public servers).
Microsoft's ISA Server 2004's multi-networking feature
allows you to connect the ISA Server firewall to as many networks as you wish,
limited only by the number of network interface cards you can install in the
machine. No network is automatically "trusted" in the new ISA model,
so you configure security according to the needs of the particular network.
Common DMZ Security Architectures
A DMZ is considered by many to be a "wide open" network,
much like the geopolitical DMZ where you risk being shot anytime you set foot
inside it. However, all DMZs are not created equal when it comes to the
security architecture. Even when you place computers in the DMZ, there are
still ways to protect them. The level of security within the DMZ also depends
on the nature of the servers that are placed there. We can divide DMZs into two
- DMZs designed for unauthenticated or anonymous
- DMZs designed for authenticated access
If you have a Web server that you want everybody on the
Internet to be able to access, (such as a Web presence advertising your
company), you'll have to allow anonymous access. You can't easily provide
authentication credentials to every stranger who happens upon your site.
However, if your Internet-facing servers on the DMZ are used by partners,
customers, or employees working off-site, you can require authentication to
access them. This makes it more difficult for a hacker to gain access.
The DMZ Honeynet
There is a special use for the anonymous DMZ that's being
more popular: creating a "honeynet." This is a network that consists
of one or more "honeypot" computers that are designed to lure hackers
--either so they can be caught or tracked, or to divert them from the network's
real resources. Unlike with other DMZs, you actually want this network to be compromised.
Often the computers on the honeynet are virtual machines
that are all installed on a single physical machine, and intrusion detection
systems and other monitoring systems are put in place to gather information
about the hackers' techniques, tactics and identities.
Host Security on the DMZ
Because the DMZ is a less secure network than the internal
network, host security is even more important for the computers that are "out
there." The servers on your DMZ should be hardened as much as possible
(while maintaining their accessibility to those who need to access them). This
- All unnecessary services should be disabled.
- Necessary services should be run with the lowest
- Strong passwords or passphrases should be used.
- Unnecessary user accounts should be deleted or
disabled and default accounts should be disguised by renaming, changing the
- Systems should have the latest security updates
and patches applied.
- Security logging should be enabled (and you
should check the logs frequently!)
The Evolution of the DMZ
The definition of "DMZ" is becoming broader, as
more uses are found for these "semi-trusted" networks. Today's
networks are complex, and security specialists are beginning to realize that
the concept of the network "edge" or "perimeter" is
outdated; an enterprise network has multiple perimeters. Thus, DMZs may be
appropriate at places other than at the edge of the Internet, and large
networks can benefit from having multiple DMZs.