Question

DMZ Architecture: What is your DMZ architecture? What devices and their function are included? How are DMZ devices connected? How are you planning to provide security to protect the DMZ and at the same time maintaining friendly access to customers?

Answer 1

In computer networks, a DMZ (demilitarized zone), also sometimes known as a perimeter network or a screened subnetwork, is a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks -- usually the public internet. External-facing servers, resources and services are located in the DMZ. Therefore, they are accessible from the internet, but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts a hacker's ability to directly access internal servers and data through the internet.

Any service provided to users on the public internet should be placed in the DMZ network. Some of the most common of these services include web servers and proxy servers, as well as servers for email, domain name system (DNS), File Transfer Protocol (FTP) and voice over IP (VoIP).

Hackers and cybercriminals around the world can reach the systems running these services on DMZ servers, which need to be hardened to withstand constant attack.

Architecture of network DMZs

There are various ways to design a network with a DMZ. The two basic methods are to use either one or two firewalls, though most modern DMZs are designed with two firewalls. This basic approach can be expanded on to create more complex architectures.

A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed by connecting the public internet -- via internet service provider (ISP) connection -- to the firewall on the first network interface. The internal network is formed from the second network interface and the DMZ network itself is connected to the third network interface.

Different sets of firewall rules for monitoring traffic between the internet and the DMZ, the LAN and the DMZ, and the LAN and the internet tightly control which ports and types of traffic are allowed into the DMZ from the internet, limit connectivity to specific hosts in the internal network and prevent unrequested connections either to the internet or the internal LAN from the DMZ.

The more secure approach to creating a DMZ network is a dual-firewall configuration, in which two firewalls are deployed with the DMZ network positioned between them. The first firewall -- also called the perimeter firewall -- is configured to allow external traffic destined to the DMZ only. The second, or internal, firewall only allows traffic from the DMZ to the internal network. This is considered more secure because two devices must be compromised before an attacker can access the internal LAN.

Security controls can be tuned specifically for each network segment. For example, a network intrusion detection and prevention system located in a DMZ could be configured to block all traffic except HTTPS requests to TCP port 443.

DMZs are intended to function as a sort of buffer zone between the public internet and the private network. Deploying the DMZ between two firewalls means that all inbound network packets are screened using a firewall or other security appliance before they arrive at the servers the organization hosts in the DMZ.

If a better-prepared threat actor passes through the first firewall, they must then gain unauthorized access to those services before they can do any damage, and those systems are likely to be hardened against such attacks.

Finally, assuming that a well-resourced threat actor is able to breach the external firewall and take over a system hosted in the DMZ, they must still break through the internal firewall before they can reach sensitive enterprise resources. While a determined attacker can breach even the best-secured DMZ architecture, a DMZ under attack should set off alarms, giving security professionals enough warning to avert a full breach of their organization.

The DMZ will be placed Inside of this firewall. The tier of operations is as follows: the external network device makes the connection from the ISP, the internal network is connected by the second device, and connections within the DMZ is handled by the third network device.

Note: Plzzz don' t give dislike.....Plzzz comment if u have any problem i will try to resolve it.......