Azure DMZ - barialim/architecture GitHub Wiki
- Overview
Table of contents generated with markdown-toc
A demilitarized zone (DMZ) network functions as a subnetwork containing an organization's external facing services.
- Perimeter Network
- Protect Network
- Buffer Network
- Subnetwork
The DMZ network itself is not safe. It enables hosts and systems stored within it to be accessible from untrusted external networks, such as the internet, while keeping other hosts and systems on private/corporate networks (LAN) isolated.
The most common examples being email,
- Web servers: responsible for maintaining communication with an internal database server may need to be placed into a DMZ. This helps ensure the safety of the internal database, which is often storing sensitive information. The web servers can then interact with internal database server through an application firewall or directly, while still falling under the umbrella of the DMZ protections.
- FTP servers: These can host critical content on an organization's site, and allow direct interaction with files. Therefore, an FTP server should always be partially isolated from critical internal systems.
- Mail servers: individual email messages, as well as the user database built to store login credentials and personal messages, are usually stored on servers without direct access to the internet. Therefore, an email server will be built or placed inside the DMZ in order to interact with and access the email database without directly exposing it to potentially harmful traffic.
- DNS servers:
- Proxy:
DMZ network is to protects organization's internal private local-area network (LAN) from untrusted network/traffic usually coming in from the public internet.
Hence, these services are placed into the monitored subnetwork to help protect the rest of the network if they become compromised.
Hosts in the DMZ have tightly controlled access permissions to other services within the internal network, because the data passed through the DMZ is not as secure.
On top of that, communications between hosts in the DMZ and the external network are also restricted to help increase the protected border zone. This allows hosts in the protected network to interact with the internal and external network, while the application/backend firewall separates and manages all traffic shared between the DMZ (externally exposed services) and the internal network (LAN).
An additional firewall will be responsible for protecting the DMZ from exposure to everything on the external network.
Also known as "Frontend Firewall".
There are numerous ways to construct a network with a DMZ. The two major methods are:
A modest approach to network architecture involves using a single firewall, with a minimum of 3 network interfaces. The DMZ will be placed Inside of this firewall. The tier of operations is as follows:
- The external network device makes the connection from the ISP
- The internal network is connected by the second device
- And connections within the DMZ is handled by the third network device
The more secure approach is to use two firewalls to create a DMZ. The first firewall (referred to as the “frontend” firewall) only allows external traffic to the DM.
The second firewall (referred to as the “backend” firewall) is only responsible for the traffic that travels from the DMZ to the internal network. An attacker would have to compromise both firewalls to gain access to an organization’s LAN.
An effective way of further increasing protection is to use firewalls built by separate vendors, because they are less likely to have the same security vulnerabilities. While more effective, this scheme can be more costly to implement across a large network.
⚠️ NOTE: Organizations can also fine-tune security controls for various network segments. This means that an intrusion detection system (IDS) or intrusion prevention system (IPS) within a DMZ could be configured to block any traffic other than Hypertext Transfer Protocol Secure (HTTPS) requests to the Transmission Control Protocol (TCP) port 443.
The main benefit of a DMZ is to provide an internal network with an additional security layer by restricting access to sensitive data and servers by placing a buffer between external users and a private network.
A DMZ enables website visitors to obtain certain services while providing a buffer between them and the organization’s private network. As a result, the DMZ also offers additional security benefits, such as:
Businesses can provide users with access to services outside the perimeters of their network through the public internet. The DMZ enables access to these services while implementing network segmentation to make it more difficult for an unauthorized user to reach the private network. A DMZ may also include a proxy server, which centralizes internal traffic flow and simplifies the monitoring and recording of that traffic.
By providing a buffer between the internet and a private network, a DMZ prevents attackers from performing the reconnaissance work they carry out in sourcing potential targets. Servers within the DMZ are exposed publicly but are offered another layer of security by a firewall that prevents an attacker from seeing inside the internal network. Even if a DMZ system gets compromised, the internal firewall separates the private network from the DMZ to keep it secure and make external reconnaissance difficult.
Attackers can attempt to gain access to systems by spoofing an IP address and impersonating an approved device signed in to a network. A DMZ can discover and stall such spoofing attempts as another service verifies the legitimacy of the IP address. The DMZ also provides network segmentation to create a space for traffic to be organized and public services to be accessed away from the internal private network.