Distinction between an extranet and a DMZ

These are academic distinctions. In the real world, you will find some combination of all of these concepts going by different terms.

In some organizations, a DMZ has a separate ISP network connection and has no access to internal resources. In other organizations, there are domain-joined machines in the DMZ that can communicate to a restricted set of internal machines. Sometimes internal and DMZ have separate firewalls. Sometimes they have separate interfaces on the same firewall.

It is important to know why someone should use an extranet or DMZ, because those are the security concepts that matter. From there, you can make a choice about how to allow access to certain resources. What it is actually called doesn't matter. In some cases, it is splitting hairs.


I don't think I've recently heard of an extranet outside of textbooks and class rooms.

A DMZ is a common networking topology with a network segment that is segregated by firewalls from the internal network and untrusted external networks (aka the internet).

In contrast the Extranet, if it is actually included in the network design, implies somewhat that it is connected to VPN's or actual private networks instead of the whole of the greater internet.

Many companies have multiple DMZ networks and would consider a network with a VPN gateway/router or a private interconnect just another DMZ.

More often an extranet is/was not so much a network topology but more implied to be a service separate from the internal network that is provided for a restricted set of somewhat trusted, known and/or authenticated external users, companies and networks.

From a networking perspective your webserver should reside in the DMZ network. The fact that your website allows your resellers to log in, browse your catalog, view stock and order, would mean that your website would be called an extranet by marketing departments. Development cost would go from $$ to $$$$.


For me, I boil this down to security policy. We have written policy that no publicly accessible system will have inbound access to the intranet unless specific exception is authorized. We also have a policy that the DMZ will not have inbound access to our intranet and that our extranet does. For example, we have a web server with backend database that must sync data with an intranet-based database. We put the web server on the DMZ, the backend database on the Extranet, and it syncs with the production intranet database. So for trust rating, public network would be 0, DMZ would be 1, Extranet would be 2, and intranet would be 3.

Tags:

Vpn

Dmz

Intranet