dmz technology. Review of options for organizing access to corporate network services from the Internet

DMZ or Demilitarized Zone (DMZ) is a network security technology in which servers responding to requests from an external network are located in a special network segment and are limited in access to main network segments using firewall (firewall), in order to minimize damage during the hacking of one of the services located in the zone.

Single firewall configuration

Scheme with one firewall

In this scheme DMZ the internal network and external network are connected to different ports of the router (acting as a firewall), which controls connections between networks. This scheme is easy to implement and requires only one additional port. However, if the router is hacked (or has a configuration error), the network becomes vulnerable directly from the external network.

Dual firewall configuration

In configuration with 2 DMZ firewalls connects to two routers, one of which limits connections from the external network to DMZ, and the second controls connections from DMZ to the internal network. This scheme allows you to minimize the consequences of hacking any of the firewalls or servers interacting with the external network - until the internal firewall is hacked, the attacker will not have arbitrary access to the internal network.

Three firewall configuration

There is a rare configuration with 3 firewalls. In this configuration, the first of them accepts requests from the external network, the second controls network connections DMZ, and the third one controls the internal network connections. In such a configuration it is usually DMZ and the internal network are hidden behind NAT (Network Address Translation).

One of key features DMZ is not only traffic filtering on the internal firewall, but also the requirement for mandatory strong cryptography in the interaction between active equipment of the internal network and DMZ. In particular, there should be no situation in which it is possible to process a request from the server in DMZ without authorization. If the DMZ is used to ensure the protection of information inside the perimeter from leakage from within, similar requirements are imposed for processing user requests from the internal network.

Demilitarized Zone (DMZ) is a network configuration aimed at enhancing the security of an organization's network, in which open to public access the servers are located in a separate isolated network segment. This concept ensures that there is no contact between publicly accessible servers and other network segments in the event of a server hack.

As a rule, a relay server is located in an isolated network segment, which ensures the redirection of requests from an external network to the organization’s network. Examples of such servers are ViPNet Coordinator and Reverse proxy.

Reverse proxy

First, we create a website that will accept requests from the external network. For it, you need to specify the appropriate bindings (hostname and port). Since all DIRECTUM web solutions involve working with important information, it is necessary to configure the site to use an HTTPS connection. Typically, port 443 is used for an HTTPS connection. Accordingly, this port must be specified in the DMZ firewall settings.
The next step is to add a redirection rule using the URL Rewrite module:

If the configuration is being carried out for the first time, IIS will inform you about the need to enable Reverse proxy functionality and warn that Reverse proxy can either strengthen the protection of the organization’s perimeter, or, conversely, reduce security by providing access to the organization’s internal services from the Internet.

After enabling Reverse proxy functionality, you need to set redirection rules:

In the “Rules for incoming traffic” field, the address and port of the service for redirection located in the organization’s internal network are indicated. Let me remind you that the incoming addresses from which requests will be redirected are set above in the website bindings settings.

To reduce the load on the DMZ server, you can enable SSL offloading. In this case, all external HTTPS requests will be redirected via HTTP to the internal network. We do not recommend using such approaches so as not to reduce the overall security of the interaction scheme, so in the internal network firewall settings you will also need to open port 443 (or another specified in the URLRewrite rules).

Setting example:

The DIRECTUM web application server is located on the organization’s internal network and has one interface: 192.168.1.2/255.255.255.0.

The DMZ and internal network firewalls are configured to allow incoming and outgoing connections on HTTP port 443.

To ensure additional protection It is recommended to limit access to the DIRECTUM web server from the internal network and allow network connections only to the necessary services (DBMS, session server, Workflow, etc.). To do this, you must configure the DIRECTUM web server firewall rules for incoming and outgoing connections and allow connections on the following ports:

• TCP/IP protocol;
• for communication with the SQL server - the default port is 1433;
• to communicate with a server with the Session Server service installed – default port is 32300;
• for communication with a server with the WorkFlow service installed – the default port is 32310;
• for the web access server to operate via the HTTPS protocol – port 443;
• UDP/IP protocol: for NetBIOS name resolution - default ports 137-139.

The minimum set of ports and communication protocols is specified. When used in a production environment, it is possible to expand the allowing rules. For example, for file storage services to work, you will need to additionally open ports 445 and 32320 via the TCP protocol.

Instead of a conclusion

This short article looked at practical steps that can be taken to improve the security of an organization's network. To become familiar with other safety features, follow t.

DMZ (computer networks)

DMZ(demilitarized zone, DMZ) - a technology for ensuring the protection of the information perimeter, in which servers responding to requests from the external network are located in a special network segment (which is called the DMZ) and are limited in access to the main network segments using a firewall (firewall) , in order to minimize damage when one of the public services located in the DMZ is hacked.

DMZ configurations

Depending on security requirements, the DMZ can be organized by one, two or three firewalls.

Single firewall configuration

The simplest (and most common) scheme is one in which the DMZ, internal network and external network are connected to different ports of a router (acting as a firewall) that controls connections between networks. This scheme is easy to implement and requires only one additional port. However, if the router is hacked (or has a configuration error), the network becomes vulnerable directly from the external network.

Dual firewall configuration

In a dual firewall configuration, the DMZ connects to two routers, one of which restricts connections from the external network to the DMZ, and the second controls connections from the DMZ to the internal network. This scheme allows you to minimize the consequences of hacking any of the firewalls or servers interacting with the external network - until the internal firewall is hacked, the attacker will not have arbitrary access to the internal network.

Three firewall configuration

There is a rare configuration with three firewalls. In this configuration, the first one takes over requests from the external network, the second one controls the DMZ network connections, and the third one controls the internal network connections. In this configuration, the DMZ and internal network are usually hidden behind NAT (Network Address Translation).

One of the key features of the DMZ is not only traffic filtering on the internal firewall, but also the requirement of mandatory strong cryptography in the interaction between active equipment of the internal network and the DMZ. In particular, there should be no situations in which it is possible to process a request from a server in the DMZ without authorization. If the DMZ is used to ensure the protection of information inside the perimeter from leakage from within, similar requirements are imposed for processing user requests from the internal network.

DMZ and SOHO

In the case of using home (SOHO) routers and access points, DMZ sometimes implies the possibility of “port forwarding” (PAT) - broadcasting a request coming from an external network for any router port to a specified node on the internal network.

Owners of home Wi-Fi routers may sometimes encounter the fact that some programs or games work with restrictions. In some cases, it is advisable to use forwarding in the router. There are several redirection methods, each of which has some advantages and disadvantages. One of these is DMZ. In most models of network devices, this item is present in the parameters, but not everyone knows what it is and what to use it for. If you don't know either, this information is for you.

Most ordinary users have not even heard of DMZ technology

What is DMZ

Is physical or virtual server, serving as a buffer between the local network and the Internet. Used to provide users local network services email, remote servers, web applications and other programs that require access to the World Wide Web. To access internal resources from the outside, you need to go through the authorization procedure; an attempt to log in for unauthorized users will not be successful. In most cases this is a router setting.

The name comes from the English acronym denoting the demilitarized zone as a barrier between warring territories. This technology is used when you create a home server that must be accessed from any computer connected to the Internet. A true demilitarized zone is used in large corporate networks with a high level of internal security. Home router models completely open the computer to access the Internet.

When is DMZ used?

Considering the openness of the computer, the method is considered quite dangerous, so it is worth using it when other redirection methods do not give the desired result.

1. For applications that require the opening of all available ports. There are few of them, but they do occur.
2. Hosting home server. Sometimes you need to host a shared resource at home, so this setting will be indispensable for separating the server from the local network.
3. Use of game consoles. In most moments automatic setting Router redirection allows you to use consoles to play online without additional manipulations. But in some cases, only DMZ will give the desired effect.

Setting up DMZ in the router

For DMZ to work successfully on your network, your router must be configured correctly. It's absolutely not difficult. Log in to settings via the web interface. Typically, the IP address, login and login password are indicated on the router itself or in its instructions. Depending on the manufacturer, this section may be located either in the “Internet Settings” or “Forwarding” tab.

1. The first step in the DHCP server settings is to assign a static one on which the server will be organized;
2. After that, in the DMZ tab, activate the “Enable” item and add the assigned IP address, save and reboot the device;
3. Make sure that all devices on your network have the latest security updates installed, as while convenient, they are subject to additional risks.

Conclusion

Now you know what a DMZ is and how it is configured. Usually there is practically no need to use it at home.

Do you use this technology on your router? For what purposes? We invite you to leave comments.

With the widespread use of the Internet, there is a need to solve the problem of protecting information and the local network as a whole. This issue arises especially significantly when the company has publicly accessible Internet services (web and ftp servers, postal services, online stores), which are located on a common local network.

Access to such servers is most often provided freely, that is, any user can, without authentication using a login and password, gain access to a resource hosted on a web server, to sections of an ftp server, the mail server will accept mail from other similar mail servers. And there is no guarantee that malicious code will not end up on the server along with the mail, and that among hundreds of users there will not be someone who, for any reason, wants to gain access not only to public services, but also to the organization’s local network. And if the network is built on simple concentrators (hubs), and not on switches (switches), then it will be subject to great danger.

By hacking one of the computers, a hacker can gain access to the entire network

What is it? Having gained access to at least one computer on the local network, a hacker can obtain passwords up to the administrator password, which will allow him to gain access to any information circulating or stored on the network, change access passwords in such a way that the databases will be inaccessible, or will simply be removed out of order. In addition, having gained access to a web server, it can be used to carry out DoS attacks, which can block the functionality of all internal corporate resources.

Therefore, the approach to building systems that include public servers should be different from the approach to building systems based on internal servers. This is dictated by specific risks that arise due to the public availability of the server. The solution is to separate the local network and public servers into separate parts. The one in which public services will be located is called the “demilitarized zone” ( DMZ - Demilitarized Zone).

Figure 13.2 – Scheme of a local network with a demilitarized zone

The essence of the DMZ is that it is not directly included in either the internal or external network, and access to it can only be carried out according to predefined firewall rules. There are no users in the DMZ - only servers are located there. A demilitarized zone usually serves to prevent access from the external network to hosts on the internal network by moving all services that require access from the outside from the local network to a special zone. In fact, it turns out that this zone will be a separate subnet with public addresses, protected (or separated) from public and corporate networks by firewalls.

When creating such a zone, corporate network administrators face additional tasks. It is necessary to ensure differentiation of access to resources and servers located in the DMZ, to ensure the confidentiality of information transmitted when users work with these resources, and to monitor user actions. Regarding the information that may be located on the servers, the following can be said. Considering that public services can be hacked, they should contain the least important information, and any valuable information should be placed exclusively on the local network, which will not be accessible from public servers.

Servers located in the DMZ should not contain any information about users, company clients, other confidential information, or personal mailboxes employees - all this should be securely “hidden” in a secure part of the local network. And for the information that will be available on public servers, it is necessary to provide for backup archiving with the least possible frequency. In addition, it is recommended to use at least a two-server service model for mail servers, and for web servers to constantly monitor the status of information for timely detection and eliminating the consequences of hacking.

The use of firewalls is mandatory when creating a DMZ

Firewalls are used to protect penetration through the demilitarized zone into the corporate network. There are software and hardware screens. Software programs require a machine running UNIX or Windows NT/2000. To install a hardware firewall, you only need to connect it to the network and perform minimal configuration. Typically, software screens are used to protect small networks where there is no need to make a lot of settings related to flexible allocation of bandwidth and traffic restrictions by protocol for users. If the network is large and high performance is required, it becomes more profitable to use hardware firewalls. In many cases, not one, but two firewalls are used - one protects the demilitarized zone from external influence, the second separates it from the internal part of the corporate network.

But in addition to the fact that moving public servers to a demilitarized zone protects the corporate network to a certain extent, it is necessary to think through and ensure protection for the DMZ itself. In this case, it is necessary to resolve issues such as:

· protection against attacks on servers and network equipment;

· protection of individual servers;

· control of email and other content;

· audit of user actions.

How can these issues be resolved? Mail server, which is used both for external correspondence and for internal corporate correspondence, it is advisable to “split” into two components - the public one, which will actually be a relay server and will be located in the DMZ, and the main one, located inside the corporate network. The main component ensures the circulation of internal mail, receives external correspondence from the repeater and sends it to it.

One of the main challenges is ensuring secure access to public resources and applications from the corporate intranet. Although a firewall is installed between it and the demilitarized zone, it must be “transparent” to work. There are several options for providing this opportunity to users. The first is the use of terminal access. With this organization of interaction between client and server through established connection is not transmitted any program code, which could include viruses and other harmful inclusions. From the terminal client to the server there follows a stream of codes of pressed keyboard keys and mouse states of the user, and back, from the server to the client, binary images of the screens of the server browser session or mail client user. Another option is to use a VPN (Virtual Private Network). Thanks to access control and crypto-protection of information, the VPN is secure private network, and at the same time takes full advantage of the public network.

Securing servers and equipment in a DMZ must be approached with particular care

To protect against attacks on servers and network equipment, special intrusion detection systems are used. The computer on which such a system is installed becomes the first on the path of information flow from the Internet to the DMZ. Systems are configured so that when attacks are detected, they can reconfigure the firewall to completely block access. For the purpose of additional, but not constant control, use a special software- security scanners that check the security of the network, servers and services, and databases. To protect against viruses, anti-virus software and content control tools are installed in the demilitarized zone.

Global Networks

Wide Area Networks (WAN), also called territorial computer networks, are used to provide their services to a large number of end subscribers scattered over a large area - within a region, region, country, continent or the entire globe. Due to the large length of communication channels, building a global network requires very large costs, which include the cost of cables and work on their installation, the cost of switching equipment and intermediate amplification equipment that provides the necessary channel bandwidth, as well as operating costs for constant maintenance of in working condition network equipment scattered over a large area.

Typical global subscribers computer network are local networks of enterprises located in different cities and countries that need to exchange data with each other. Services global networks Individual computers are also used.

WANs are usually created by large telecommunications companies to provide paid services to subscribers. Such networks are called public or public. There are also such concepts as network operator and network service provider. The network operator is the company that maintains the normal operation of the network. A service provider, often also called a service provider, is a company that provides paid services network subscribers. The owner, operator, and service provider may be one company, or they may represent different companies.

Much less often, a global network is completely created by some large corporation for its internal needs. In this case, the network is called private. Very often there is an intermediate option - a corporate network uses the services or equipment of a public wide area network, but supplements these services or equipment with its own.

Depending on what components have to be rented, it is customary to distinguish between networks built using:

Dedicated channels;

Circuit switching;

Packet switching.

The latter case corresponds to the best case scenario, where a packet-switched network is available in all geographic locations that need to be combined into a common corporate network. The first two cases require additional work to build a packet switching network based on the leased funds.

Dedicated channels

Dedicated (or leased) circuits can be obtained from telecommunications companies, which own long-distance circuits, or from telephone companies, which typically lease circuits within a city or region.

You can use leased lines in two ways. The first is to build with their help a territorial network of a certain technology, for example Frame Relay, in which leased leased lines serve to connect intermediate, geographically distributed packet switches.

The second option is to connect only the local networks being connected via dedicated lines, without installing transit packet switches operating using global network technology. The second option is the simplest from a technical point of view, as it is based on the use of routers or remote bridges in interconnected local networks and the absence of global technology protocols such as X.25 or Frame Relay. The same network or data link layer packets are transmitted over global channels as in local networks.

It is the second method of using global channels that received the special name “dedicated channel services”, since it really does not use anything else from the technologies of the actual global networks with packet switching.

Dedicated channels were very actively used in the very recent past and are used today, especially when building critical backbone connections between large local networks, since this service guarantees the throughput of the leased channel. However, with a large number of geographically distant points and an intensive mixed schedule between them, the use of this service leads to high costs due to the large number of leased channels.

Today, there is a large selection of dedicated channels - from analogue voice-frequency channels with a bandwidth of 3.1 kHz to digital channels of SDN technology with a throughput of 155 and 622 Mbit/s.