Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

A Rookie's Guide to Defensive Blocks: Page 5 of 7

This is where a DMZ comes into play. In the military, a DMZ is a buffer between two warring parties to prevent further incursions or attacks. A DMZ in the IT sense is a neutral zone protecting a host or network that is assumed vulnerable. You have the public network (the Internet), a private network that you want to protect and a DMZ network, which is reachable from the Internet. Firewalls with DMZ capabilities have a third network interface for this purpose. You can have several DMZs, depending on the features and number of interfaces on your firewall. By restricting traffic in and out of the DMZ, you make it difficult to hop through the firewall.



Setting Up a DMZ
Click here to
enlarge

The theory is that you never want an external user making a direct connection to private internal resources, so the DMZ is a semipublic zone. The DMZ should have only tightly controlled connections to the corporate LAN so if your Web server is violated, the attackers can't reach corporate records.

Sometimes this hard separation is nearly impossible. You may have a Web server that needs to communicate with a back-end database that sits on the LAN. This opens up a way to communicate from the Internet through the DMZ to the LAN. Never assume an attacker won't be able to figure out how your network is laid out. Terminate all remote users in the DMZ, limit access to those areas to which the users need entry rights. All remote users are external users, which means you shouldn't trust them. Also, make sure all hosts in the DMZ are hardened and locked down. Make applications as secure as possible; the default settings are not necessarily good enough. Finally, check the logs often to detect trends or attacks; DMZs don't make getting into your network impossible, just more difficult.

For more information, see our Survivor's Guide security section. Remember that securing your network is not a fire-and-forget-it process. Attackers are staying up nights devising ways around your defenses. As Irish orator John Philpot Curran has been paraphrased, "Eternal vigilance is the price of liberty." We'll add, "And of security."

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University's Real-World Labs®. Send your comments on this article to him at [email protected].

Firewalls are a start, but what happens if your antivirus, content-filtering or intrusion-detection systems discover an anomaly or attack attempt? You'll want to ban the attacker from accessing any part of your network. This is where you can take advantage of products that let you shun attackers.