What is the real function and use of a DMZ on a network?

Reasons why you want a DMZ and the benefits it offers. The general idea is that you put your public faced servers in the "DMZ network" so that you can separate them from your private, trusted network. The use case is that because your server has a public face, it can be remotely rooted. If that happens, and a malicious party gains access to your server, he should be isolated in the DMZ network and not have direct access to the private hosts (or to a database server for example that would be inside the private network and not on the DMZ).

How to do it: There are several ways, but the 'book example' is by utilizing two firewalls (of course you can achieve the same result with one firewall and smart configuration, although hardware isolation is nicer). Your main firewall is between internet and the server and the second firewall between the server and the private network. On this second firewall, all access from the server to the private network ideally would be forbiden (of course it would be a statefull firewall so if you initiate a connection from the private network to the server it would work).

So, this is a fairly high level overview of DMZ. If you want more technical details please edit your question accordingly.


Of course I can only add to John's answer and here it is:

You separate the DMZ from the rest of the network both in terms of IP routing and security policy.

  1. You identify your network areas. Internal: critical systems; DMZ: systems you can afford to be "exposed", systems you want to host services to the outside world, e.g. your SSH hosts; External: the rest of the world.

  2. You set up these separate areas on your network architecture.

  3. Your firewalls/routers are then configured to allow direct connections from the outside world only to the DMZ. Correspondingly, your internal systems should be able to connect only to the DMZ and access the outside world via HTTP, application proxies, mail relays etc. there. Your firewall rules should reflect these decisions by blocking the corresponding traffic directions/IPs/ports: e.g. inward allow only ports for services operating in the DMZ etc.

  4. Ideally you should configure any services exchanging information between network areas (internal, DMZ, external) to be initiated FROM the most secure network segment TO the less secure areas, e.g. If you need to transfer files to "inside" hosts have the inside systems initiate the transfer (have the client role, rather than the server role).

Tags:

Network