DMZ

Rakesh B/ April 2nd, 2015

1
 Introduction to DMZ
A typical DMZ
Different Zones

2
 Introduction to a DMZ

• DMZ (demilitarized zone)

– Computer host or small network inserted as a “neutral zone” between
a company’s private network and the outside public network
– Network construct that provides secure segregation of networks that
host services for users, visitors, or partners
• Basically, involves adding multiple firewall layers of security
between the Internet and a company’s critical data.

3
 A typical DMZ configuration includes:
Outer firewall b/t the Internet and the Web Server processing the requests originating
on the company Web site.
Inner firewall b/t the Web Server and the appl. Server to which it is forwarding
requests. Data resides behind this.

4
 Zones
Intranet (Internal)
A network topology or the application (Web portal) that enterprises use as a single
point of access to deliver services to employees and business units.
Also called a campus network.
Main purpose is to share company info and company resources among employees.
Extranet (External)
Private network that uses the Internet protocol and the public telecommunication
system to securely share part of a business’s info or operations with suppliers,
vendors, partners, customers, or other businesses.
For users outside of the company.
Requires firewall mgt., the use of digital certificates, encryption, and the use of
VPNs.

5
• Presentation Zone: Hosts Servers that should be directly accessible
over public internet.
e.g. Bank websites, online shopping sites etc.

• Secure Zone: Hosts services that should be accessed by Servers in PZ

e.g. authentication services, application databases etc., user
account details and this also provides an additional layer of security
for confidential data should the server in PZ be compromised.

• Secure Monitoring Zone: Hosts MGMT interface of all devices are

monitored to ensure security of the entire DMZ environment.

6
7
 Introduction to A Firewall
Analogy
Firewall Policies

8
 What is a Firewall ?

• A firewall is an Access Control Device that looks at the IP packet,

compares with the policy rules and decides whether to allow, deny or take
other action on the packet.

9
 A Simple Analogy : Firewall as a Security Guard

• You are Mr. John and want to meet Mr. Javed.

• Guard: Should I allow? Let me check ‘My Rules Book’.
• I will allow provided you have an ID : Authenticate yourself.
• I am suppose to log all the information: Name, Address, Purpose, Time.
10
 Firewall Policies
• To protect private networks and individual machines from
the dangers of the greater Internet, a firewall can be
employed to filter incoming or outgoing traffic based on a
predefined set of rules called firewall policies.

11
 Policy Actions
• Packets flowing through a firewall can have one of three outcomes:
– Accepted: permitted through the firewall
– Dropped: not allowed through with no indication of failure
– Rejected: not allowed through, accompanied by an attempt to inform
the source that the packet was rejected.
• Policies used by the firewall to handle packets are based on several
properties of the packets being inspected, including the protocol used,
such as:
– TCP or UDP
– the source and destination IP addresses
– the source and destination ports
12
 Blacklists and White Lists
There are two fundamental approaches to creating firewall policies (or rulesets) to effectively
minimize vulnerability to the outside world while maintaining the desired functionality for the
machines in the trusted internal network (or individual computer).
• Blacklist approach
– All packets are allowed through except those that fit the rules defined specifically in a
blacklist.
– This type of configuration is more flexible in ensuring that service to the internal network is
not disrupted by the firewall, but is naïve from a security perspective in that it assumes the
network administrator can enumerate all of the properties of malicious traffic.
• Whitelist approach
– A safer approach to defining a firewall ruleset is the default-deny policy, in which packets
are dropped or rejected unless they are specifically allowed by the firewall.

13
 Next session
• LIS ( Leverage internet Services)
• Types of Firewalls.
• Key Features of Firewalls.
– VPNs
– Types of VPNs
– IDS & Types of Detection systems.

14
 Thank you.

15