Description
This article is from the Firewalls
FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum
mjr@nfr.com with numerous contributions by others.
30 What is a DMZ, and why do I want one?
``DMZ'' is an abbreviation for ``demilitarized zone''. In the context of
firewalls, this refers to a part of the network that is neither part of the
internal network nor directly part of the Internet. Typically, this is the
area between your Internet access router and your bastion host, though it
can be between any two policy-enforcing components of your architecture.
A DMZ can be created by putting access control lists on your access router.
This minimizes the exposure of hosts on your external LAN by allowing only
recognized and managed services on those hosts to be accessible by hosts on
the Internet. Many commercial firewalls simply make a third interface off of
the bastion host and label it the DMZ. The point is that the network is
neither ``inside'' nor ``outside''.
For example, a web server running on NT might be vulnerable to a number of
denial-of-service attacks against such services as RPC, NetBIOS and SMB.
These services are not required for the operation of a web server, so
blocking TCP connections to ports 135, 137, 138, and 139 on that host will
reduce the exposure to a denial-of-service attack. In fact, if you block
everything but HTTP traffic to that host, an attacker will only have one
service to attack.
This illustrates an important principle: never offer attackers more to work
with than is absolutely necessary to support the services you want to offer
the public.
Continue to:
Share and Enjoy
Bookmark this story so others can enjoy it:
Tags
security, Internet, firewalls, ssl, port, protection, application layer, proxy server, packet screening, filtering rules, viruses, terms
