14
Network Security with DMZs Sean Cooke
Network Security with DMZs
Sean Cooke
What is a DMZ?
• A DMZ (Demilitarized Zone) is an isolated subnetwork used to protect the security of your trusted, internal LAN
• Firewall rules isolate this subnetwork • Only hosts that need to be directly accessed
by outside hosts are placed in the DMZ (principle of least privilege)
Why Use a DMZ?
§ Web server in DMZ § Database server on trusted, internal LAN § User on untrusted, external network
requests file from web server § Web server builds file with information
from database server § Web server provides user appropriate file
Why Isolate the DMZ?
§ Hosts inside the DMZ will be accessible from the outside, untrusted network
§ Hosts outside the DMZ will be inaccessible from outside, untrusted network
§ Hosts inside the DMZ can communicate with hosts on the trusted, internal LAN through firewall rules
Firewalls
§ A firewall is a packet filter that accepts or rejects packets sent to hosts behind it based on predetermined rules set by the firewall administrator3
§ DMZs can use two network firewalls. One to separate the LAN from the DMZ and another to separate the DMZ from the WAN
Dual Firewall DMZ
DMZ Guarantees
§ If the security of host in the DMZ is compromised, hosts on the internal LAN are not compromised
§ If a web server is unavailable via an attack (such as Denial of Service (DoS), etc…) hosts on trusted, internal LAN still function6
DMZ Example
Communicating with Hosts on the Trusted, Internal LAN
§ Only hosts on the trusted, internal LAN can communicate with other hosts on the trusted, internal LAN
§ How do we communicate with hosts on the trusted, internal LAN if we are not on the trusted, internal LAN?
VPN
§ A VPN (Virtual Private Network) connection can be used to extend a private network across the Internet
§ To communicate with hosts on your LAN from an external network, connect to a VPN server on you LAN
How do VPNs Work?
§ VPNs work by spoofing the client’s IP address to match the IP address of the VPN server
§ This spoofed IP address allows remote users to access hosts on the trusted, internal LAN8
§ VPN connections are encrypted which provides confidentiality between hosts7
DMZ with VPN Example
References 1. "DMZ (computing)." Wikipedia. Wikimedia Foundation, n.d. Web. 11 Nov. 2016. 2. Edwards, John. "VPN: The Pros and Cons." ITSecurity. N.p., 11 Feb. 2008. Web. 11
Nov. 2016. 3. "Firewall (computing)." Wikipedia. Wikimedia Foundation, n.d. Web. 11 Nov. 2016. 4. Rouse, Margaret, and Mike Cobb. "What Is DMZ (demilitarized Zone)?"
SearchSecurity. N.p., n.d. Web. 11 Nov. 2016. 5. Shinder, Deb. "SolutionBase: Strengthen Network Defenses by Using a DMZ -
TechRepublic." TechRepublic. N.p., 29 June 2005. Web. 11 Nov. 2016. 6. Brecht, Daniel, and Linda Richter. "How to Prevent a Denial of Service Attack."
Bright Hub. N.p., 14 Sept. 2011. Web. 27 Nov. 2016. 7. Waddilove, Roland. "Why You Need a VPN." PC Advisor. N.p., 18 Sept. 2013. Web.
27 Nov. 2016. 8. Tarantola, Andrew. "VPNs: What They Do, How They Work, and Why You're Dumb
for Not Using One." Gizmodo. N.p., 2013. Web. 30 Nov. 2016.
Any Questions?
Thank You
