Demilitarized Zone (DMZ) in computer networking
181 views
16 slides
Nov 27, 2024
Slide 1 of 16
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
About This Presentation
A Demilitarized Zone (DMZ) in computer networking is a specialized subnetwork that acts as a buffer zone between an organization's internal network and the public internet. It is designed to add an extra layer of security by isolating external-facing services from the rest of the organization...
Slide Content
SECURITY TOPOLOGIES DMZ Internet Zone Intranet Zone
General Framework
1. What is a DMZ (Demilitarized Zone)? A DMZ is a computer network that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet Also known as a Data Management Zone or Demarcation Zone Perimeter Network
Typical components of DMZ network Web servers that need to be made available to the general public, such as company's primary Web presence advertising its products or services. Public DNS servers that resolve the names in your domain for users outside your organization to the appropriate IP addresses. Public FTP servers on which you provide files to the public Downloads of your product manuals or Software drivers Anonymous SMTP relays that forward e-mail from the Internet to internal mail server(s) Servers running h complex e-commerce Internet and extranet applications Proxy Servers
Split Configurations Mail services can be split between servers on the DMZ and the internal network. Internal mail server handles e-mail from one computer to another on the internal network. Mail that comes in or is sent to computers outside the internal network over the Internet is handled by an SMTP gateway located in the DMZ. For e-commerce systems Front-end server, directly accessible by Internet users is in the DMZ, Back-end servers that store sensitive information are on the internal network.
DMZ with two firewalls DMZ that uses two firewalls, called a back to back DMZ. An advantage of this configuration is that you can put a fast packet filtering firewall/router at the front end (the Internet edge) to increase performance of your public servers, Place a slower application layer filtering (ALF) firewall at the back end (next to the corporate LAN) to provide more protection to the internal network without negatively impacting performance for your public servers
Tri-homed DMZ When a single firewall is used to create a DMZ, it's called a trihomed DMZ. The firewall computer or appliance has interfaces to three separate networks: The internal interface to the trusted network (the internal LAN) The external interface to the untrusted network (the public Internet) The interface to the semi-trusted network (the DMZ)
Creating a DMZ Infrastructure Two important characteristics of the DMZ are: A different network ID from the internal network A DMZ can use either public or private IP addresses, depending on its architecture subnet the IP address block that is assigned by your ISP If using private IP addresses for the DMZ, a Network Address Translation (NAT) device will be required It is separated from both the Internet and the internal network by a firewall
Security of DMZ The level of security within the DMZ also depends on the nature of the servers that are placed there. We can divide DMZs into two security categories: DMZs designed for unauthenticated or anonymous access DMZs designed for authenticated access
Host Security on the DMZ Be sure to set strong passwords and use RADIUS or other certificate based authentication for accessing the management console remotely. To allow you to manage the router through a Web page, it runs an HTTP server. It is a good security practice to disable the HTTP server, as it can serve as a point of attack an use a HTTPS.
Example Network
Limit Traffic allowed into corporate network traffic can be allowed into the corporate network must be limited. Traffic entering the corporate network will be coming from either the Internet or the DMZ. Allow all traffic that originated from the corporate network can be allowed back into that network. No other traffic is desired into the corporate network 10.1.1.1/24 10.10.10.1/24 172.16.2.0/24
Deter Spoofing 10.1.1.1/24 10.10.10.1/24 172.16.2.0/24 Spoofing - A common method to attempt to forge a valid internal source IP addresses. To deter spoofing, it is decided to configure an access list so that Internet hosts cannot easily spoof an internal network addresses. Three common source IP addresses that hackers attempt to forge are valid internal addresses (e.g., 10.10.10.0), loopback addresses (i.e.,127.x.x.x), and multicast addresses (i.e., 224.x.x.x – 239.x.x.x).
2. INTERNET ZONE The internet is the name given to the entire public network which provides the infrastructure for the transfer of data between remote points. Such data can take the form of email, web pages, files, multi-media and just about anything else that exists in digital form. Every computer in internet is identified by IP Address. A Special computer DNS is used to give name to the IP address.
INTRANET ZONE An intranet can be described as a mini-internet build within the safety of a secure networking environment. Intranets are typically used to provide internal corporate web sites for employee only access. Because the intranet servers have internal, private IP addresses and reside behind firewalls they are generally not accessible to the outside world. If external access is needed to an intranet this is best achieved through the implementation of a Virtual Private Network (VPN).
VLAN Virtual local area networks A way of dividing a single physical network switch among multiple network segments or broadcast domains. Ability to configure multiple LANs on a single switch Trunk – allows switches to share many VLANs over a single physical link Routers needed to make different VLANs talk
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 181
- Slides 16
- Age 369 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views