3. What is a DMZ?

What is a DMZ?

People have different ideas of what a DMZ is and what it isn't. The DMZ is a concept that became popular with the adoption of NAT so I tend to link the concept of a DMZ to NAT which others may disagree with.

Assuming a basic SPI firewall with the concept of INSIDE (using RFC 1918 addressing) and OUTSIDE (using public IP addressing) with NAT a common problem is how to support a server that needs to be accessed from both INSIDE and OUTSIDE systems.

Not using a DMZ people turn to port-forwarding or 1-to-1 NAT to map requests from the OUTSIDE to the INSIDE. This has a few problems though:

Firstly and most importantly it doesn't segment the server from your INSIDE network but allows external connections. This means if someone compromises the system from the outside the server can then be used as a pivot point to access the INSIDE network without restriction.

Secondly if the service is accessed using DNS (e.g. a website) then INSIDE clients trying to access the server using the OUTSIDE IP address will fail because the server will attempt to respond to the INSIDE client directly with a private IP address when the client is expecting a response from the public IP address. The work-around for this is to implement split-DNS such that your DNS server responds with a different address depending on the source of the request. The hack for this is a special NAT rule generally called NAT reflection or Hairpin NAT. A NAT reflection rule NATs traffic from INSIDE systems to INSIDE systems that flow through the firewall to have a source IP of the firewall. This works but it's ugly because your logging or host firewall policy will no longer be able to tell the difference between internal systems as they'll all appear from a single IP.

Enter the DMZ.

With a DMZ model you create a third network with public IP addressing that is reachable from the outside but also has visibility of the INSIDE network without the use of NAT. The most common trust relationship is such that the DMZ can not establish connections to the INSIDE network but the INSIDE can establish connections to the DMZ by default. If the DMZ needs to access a system on the INSIDE network a specific rule can be created to allow that access (e.g. a web server in the DMZ and a DB server on the INSIDE network).

You do NOT need a separate firewall for a DMZ but you DO need the ability to filter between the DMZ and other networks. This is usually as simple as applying an ACL to the DMZ interface. Another important aspect of a DMZ is that connections from the OUTSIDE to the DMZ are still filtered. You just don't need to NAT that traffic since the DMZ is using public IP addressing.

Over time different models have emerged including ones where the DMZ is implemented using private IP addressing and NAT. In my opinion that is not a DMZ but rather simply a different security zone and extending the definition of DMZ to include it makes the concept of a DMZ hard to explain today because it now means different things to different people. Another definition of a DMZ is simply placing systems outside the firewall on the outside network. I also disagree with this being a DMZ because it does not meet the requirement that a DMZ has filtering between itself and the rest of the Internet.

I know. You may be thinking that I am a DMZ purist (or fundamentalist). And you're right. For me a DMZ implies the use of NAT and is something that exists to get around the limitations of NAT.

In a model without NAT you would still want to segment servers that are accessed globally from your internal network but this wouldn't be a DMZ (by my definition). It would just be a different security zone.

For a real world example of a DMZ firewall configuration you can take a look at a draft of a firewall configuration guide for VyOS that I've been working on here:

http://soucy.org/vyos/UsingVyOSasaFirewall.pdf

The DMZ is popular because it makes a nice addition to what most people would consider a basic firewall design today (one which employs NAT and the concept of INSIDE vs OUTSIDE).

For more complicated policy you generally establish networks which belong to zones with networks of a common zone having one trust relationship and networks of different zones have a different trust relationship. A zone generally being used for separation of concerns.

It should also be noted that in Higher Education a new term of "Science DMZ" has been coined for creating a network which preserves the end-to-end model by using public IP addressing and is able to achieve high performance by limiting filtering to hardware ACLs rather than SPI firewalls (which introduce a significant bottleneck). This is completely different than a DMZ even though it has DMZ in its name.

/r/networking Thread
Previous
Next

Recently removed from /r/networking

How to keep 2 identical IP addresses on the same network and make it work (temporary) VLAN design/safety sanity check DMVPN Dual ISP Redundancy Vulnerability Scans & Outdated/Weak Ciphers for SSL/early TLS Versions - Is Disabling The Web Interface and Opting for SSH-only management the solution? I'm a software engineer at a major networking vendor. Is there an alternate to RDP (Remote Desktop) when simply needing to connect to a localhost via VPN Cisco 891 Networking | network-policy traffic shaping Troubleshooting tools for remote VPN Users I'm not sure if it's lack of terminology that's holding me back from finding any specifics but I'm unsure why I cannot ping a router through L3 Etherchannel. Good optical fiber and sFP transceiver type for DIY termination? Automation has spooked me and i feel sticking to technical line will make us less vulnerable. What's your opinion? Are there any side hustles being a network engineer? Do you constantly have to prove the networks innocents? Firepower rant How do you survive in networking if you are a colour blind?

More Random Comments

Twitter changes “Official sources” to “Multiple Sources” because nobody is buying their lies Manager micro-managing Thread Diario de Dudas, Consultas y Mitaps - 17/11 LPT: interview starts immediately How do you not feel dehumanized when dating? I'm tired of proving that I'm someone worth loving and not a creep or loser Argentine kids thought they were badasses and decided to fight a cop. Of course we know what usually happens afterwards.. That Quaker Oats guy is now judging me for using his cookie, and it didnt even work. Eww haha What are your thoughts on the report from the CDC indicating that racial minorities in the US are being hospitalized due to COVID at a rate several times higher than white Americans? Imagine ace attorney game Streamer addresses the top r/cringe post from yesterday in which the armchair psychologists in the comments were diagnosing him with "addiction" What did college feel like before 2020 happened? AITA for telling my girlfriend that her being so "woke" embarasses me? A wild onion eater appears! 'It's the screams of the damned!' The eerie AI world of deepfake music Beware of Greeks Bearing Bonds