[Sussex] DMZ Network

Mark Harrison Mark at ascentium.co.uk
Tue Aug 12 14:08:01 UTC 2003


Actually, it can be either :-)

The term DMZ is often used incorrectly to refer to a "secure subnet".

The term "DMZ" strictly means everything between the INTERNAL LAN port on
the innermost firewall, and the Internet. Hence it includes one or more
secure subnets, plus anything between the perimeter firewall and the
boundary router. In practice, most people don't have anything there any
more, for lots of good security reasons.

A secure subnet is what Paul describes - it's a seperate thing hung off the
firewall, which has a different security policy / rules / translations to
the internal LAN.

Alternatively, it's a thing between a perimeter firewall and an inner
firewall in higher-security application where multiple firewall zones are
preferred. (The bigger transactional websites do this - one firewall, then
the web servers, then a different firewall, then application/database
servers which hold confidential data.)

The biggest websites I've been responsible for have multiple zones - so you
get something like:

- Boundary Routers
- Perimiter Firewalls
- Load Balancers
- SSL Accelerators
- Web heads
- Inner Firewalls 1
- Application Servers
- Inner Firewalls 2
- Database servers

The logic is that customer data is only held persisntently in the database
servers, so anyone who REALLY wants to hack your customers' credit cards has
to take out three different firewalls to do it... Indeed, in these types of
implementations, the firewalls will all be different, so that the same
exploit can't be used multiple times.

And, as an aside, Linux is increasingly the O/S of choice for the webheads,
since you want lots of them and a good load-balancer, and it's a lot cheaper
to have 10 linux boxes than it is to have 3 Suns and an SSL accelarator box
on the Load Balancer.

Regards,

Mark


----- Original Message -----
From: "Paul Turner" <pturner at rentokil.com>
To: <sussex at mailman.lug.org.uk>
Sent: Tuesday, August 12, 2003 10:28 AM
Subject: Re: [Sussex] DMZ Network


> > > De-Militarized Zone
> >
> > Now I rember, it's where the firewall does not apply.
>
> It's not necessarilly that the firewall doesn't apply, but rather it has a
> different set of rules and will allow more incoming traffic.  For example
if
> you had a webserver in your DMZ then you would allow incoming requests on
> http/https (ports 80,443).  But these ports should not be open for
incoming
> traffic to your internal network.
>
> Regards Paul.
>
>
> _____________________________________________________________________
> This message has been checked for all known viruses by
> MessageLabs on behalf of Rentokil Initial plc
>
>
> _______________________________________________
> Sussex mailing list
> Sussex at mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/sussex
>
>





More information about the Sussex mailing list