网络设备开发商,利用这一技术,开发出了相应的防火墙解决方案。称“非军事区结构模式”。DMZ通常是一个过滤的子网,DMZ在内部网络和外部网络之间构造了一个安全地带。网络结构如下图所示。
DMZ防火墙方案为要保护的内部网络增加了一道安全防线,通常认为是非常安全的。同时它提供了一个区域放置公共服务器,从而又能有效地避免一些互联应用需要公开,而与内部安全策略相矛盾的情况发生。在DMZ区域中通常包括堡垒主机、Modem池,以及所有的公共服务器,但要注意的是电子商务服务器只能用作用户连接,真正的电子商务后台数据需要放在内部网络中。
在这个防火墙方案中,包括两个防火墙,外部防火墙抵挡外部网络的攻击,并管理所有内部网络对DMZ的访问。内部防火墙管理DMZ对于内部网络的访问。内部防火墙是内部网络的第三道安全防线(前面有了外部防火墙和堡垒主机),当外部防火墙失效的时候,它还可以起到保护内部网络的功能。而局域网内部,对于Internet的访问由内部防火墙和位于DMZ的堡垒主机控制。在这样的结构里,一个黑客必须通过三个独立的区域(外部防火墙、内部防火墙和堡垒主机)才能够到达局域网。攻击难度大大加强,相应内部网络的安全性也就大大加强,但投资成本也是最高的。
DMZ (computing)
From Wikipedia, the free encyclopedia
| This article does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unverifiable material may be challenged and removed. (October 2008) |
In computer security, a demilitarized zone, named after the military usage of the term and normally abbreviated to DMZ; also known as a demarcation zone or perimeter network, is a physical or logical subnetwork that contains and exposes an organization's external services to a larger, untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than the whole of the network.
Contents[hide] |
[edit] Rationale
In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own subnetwork in order to protect the rest of the network if an intruder was to succeed. Hosts in the DMZ should not be able to establish communication directly with any other host in the internal network, though communication with other hosts in the DMZ and to the external network is allowed. This allows hosts in the DMZ to provide services to both the internal and external network, while an intervening firewall controls the traffic between the DMZ servers and the internal network clients.
[edit] Services that belong in the DMZ
Generally, any service that is being provided to users in an external network should be placed in the DMZ. The most common of these services are web servers, mail servers, ftp servers, VoIP servers and DNS servers. In some situations, additional steps need to be taken to be able to provide secure services.
[edit] Web servers
Web servers may need to communicate with an internal database to provide some specialised services. Since the database server is not publicly accessible and may contain sensitive information, it should not be in the DMZ. Generally, it is not a good idea to allow the web server to communicate directly with the internal database server. Instead, an application server can be used to act as a medium for communication between the web server and the database server. This may be more complicated, but provides another layer of security.
[edit] E-mail servers
Because of the confidential nature of e-mail, it is not a good idea to store it in the DMZ. Instead, e-mail should be stored on an internal e-mail server. The mail server in the DMZ should pass incoming mail to the internal mail server and the internal mail server should pass outgoing mail to the external mail server. Ideally, all communications should be initiated by the internal mail server.
[edit] Proxy servers
For security, legal compliance and also monitoring reasons, in a business environment, it is also recommended[who?] to install a proxy server within the DMZ. This has the following benefits:
- Obliges the internal users (usually employees) to use this particular proxy to get internet access. The users should not be allowed to browse internet directly and bypass the DMZ defenses.
- Allows the company to save on internet bandwidth because some of the web content may be cached by the proxy server.
- Allows the system administrator to record and monitor user activities and make sure no illegal content is downloaded or uploaded by the employees. In many EU countries for example, a company director is liable for employees' internet activities.[citation needed]
[edit] Reverse proxy servers
A reverse proxy server provides the same service as a proxy server, but the other way around. Instead of providing a service to internal users, it provides indirect access to internal resources from external network (Usually the internet). A back office application access, such as an email system, can be provided to external users (To read emails while outside the company) but the remote user does not have direct access to his email server. Only the reverse proxy server can physically access the internal email server. This is an extra layer of security, which is particularly recommended when internal resource needs to be accessed from the outside. Usually such reverse proxy mechanism is provided by using an application layer firewall as they focus on the specific shape of the traffic rather than controlling access to specific TCP and UDP ports as a packet filter firewall does.
[edit] Architecture
There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single firewall, also known as the three legged model, and with dual firewalls. These architectures can be expanded to create very complex architectures depending on the network requirements.
[edit] Single firewall
A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network.
[edit] Dual firewalls
A more secure approach is to use two firewalls to create a DMZ. The first firewall (Also called "front-end" firewall) must be configured to allow both traffic destined for the DMZ as well as traffic for the internal network. The second firewall (Also called "back-end" firewall) must be configured to only allow traffic destined for the internal network that is originating from the DMZ. The first firewall must be able to handle a much larger amount of traffic than the second firewall. Some recommend using firewall solutions manufactured by 2 different vendors. The thought process being if an attacker manages to break the first firewall defense, it will take him even more time to break the second one if it is different. This architecture is more costly. Additionally the practice of using different devices from different vendors could be described as either defense in depth or, from an opposing viewpoint, security through obscurity.
[edit] DMZ host
Some home routers refer to a DMZ host. A home router DMZ host is a host on the internal network that has all ports exposed, except those ports forwarded otherwise. By definition this is not a true DMZ (Demilitarized Zone), since it alone does not separate the host from the internal network. That is, the DMZ host is able to connect to hosts on the internal network. However, hosts within a real DMZ are prevented from connecting with the internal network by a firewall that separates them, unless the firewall permits the connection. A firewall may allow this if a host on the internal network first requests a connection to the host within the DMZ.
[edit] References
- Eric Maiwald. Network Security: A Beginner's Guide. Second Edition. McGraw-Hill/Osborne, 2003.
- Internet Firewalls: Frequently Asked Questions, compiled by Matt Curtin, Marcus Ranum and Paul Robertson
1665
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
