Question

DMZ Architecture: What is your DMZ architecture? What devices and their function are included? How are DMZ devices connected? How are you planning to provide security to protect the DMZ and at the same time maintaining friendly access to customers?

Answer 1

DMZ Network (“demilitarized zone") functions as a subnetwork containing an organization's exposed, outward-facing services. It acts as the exposed point to an untrusted networks, mainly to the Internet.

We need to :

1. Install and maintain a firewall configuration to protect data of the customer
2. Not use vendor supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to user's data by 'business need to know'
8. Identify and authenticate access to system components
9. Restrict physical access to customer's data
10. Track and monitor all access to network resources and data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

DMZ adds an extra layer of security to an organization's local area network. A protected and monitored network node that faces outside the internal network can access what is exposed in the DMZ, while the rest of the organization's network is safe behind a firewall.

When implemented properly, a DMZ Network gives organizations extra protection in detecting and mitigating security breaches before they reach the internal network, where valuable assets are stored.

Ways we can construct a network with a DMZ. We can create complex architectures as per network requirements:

• Single firewall: It involves using a single firewall, with a minimum of 3 network interfaces. The DMZ will be placed Inside of this firewall. The tier of operations is as follows: the external network device makes the connection from the ISP, the internal network is connected by the second device, and connections within the DMZ is handled by the third network device.
• Dual firewall: The more secure approach is to use two firewalls to create a DMZ. The first firewall (referred to as the “frontend” firewall) is configured to only allow traffic destined for the DMZ. The second firewall (referred to as the “backend” firewall) is only responsible for the traffic that travels from the DMZ to the internal network.

Mainly, we would Only store customer's data if necessary:

If we don't need it, we don't store it.

Retaining unencrypted cardholder data is risky and could end up being very expensive if your business falls victim to a breach.

In addition we may build an Incident Response Plan:

The key to mitigating damage following a breach is, firstly:

• How quickly you can detect the breach

And, secondly:

• How quickly you react to prevent further damage.

Creating and implementing an Incident Response Plan helps an organisation work through the scenarios that could result in their data being exposed. Making sure that the Incident Response Plan actually works is also very important - stress testing it, like a fire alarm is essential in helping your team to understand what to do in the case of a suspected data breach.

This way the security would be provided and also the customers can have a friendly access.