What Is a DMZ and Why Would You Use It? | Fortinet
文章推薦指數: 80 %
A demilitarized zone (DMZ) is a perimeter network that protects an organization's internal local area network (LAN) from untrusted traffic. A DMZ ensures a ... Skiptocontent Skiptonavigation Skiptofooter DMZ FortinetNamedaLeaderinthe2021Gartner®MagicQuadrant™forNetworkFirewalls WhatisaDMZNetwork? ADMZNetworkisaperimeternetworkthatprotectsandaddsanextralayerofsecuritytoanorganization’sinternallocal-areanetworkfromuntrustedtraffic.AcommonDMZisasubnetworkthatsitsbetweenthepublicinternetandprivatenetworks. TheendgoalofaDMZistoallowanorganizationtoaccessuntrustednetworks,suchastheinternet,whileensuringitsprivatenetworkorLANremainssecure.Organizationstypicallystoreexternal-facingservicesandresources,aswellasserversfortheDomainNameSystem(DNS),FileTransferProtocol(FTP),mail,proxy,VoiceoverInternetProtocol(VoIP),andwebservers,intheDMZ. TheseserversandresourcesareisolatedandgivenlimitedaccesstotheLANtoensuretheycanbeaccessedviatheinternetbuttheinternalLANcannot.Asaresult,aDMZapproachmakesitmoredifficultforahackertogaindirectaccesstoanorganization’sdataandinternalserversviatheinternet. HowDoesaDMZNetworkWork? Businesseswithapublicwebsitethatcustomersusemustmaketheirwebserveraccessiblefromtheinternet.Doingsomeansputtingtheirentireinternalnetworkathighrisk.Topreventthis,anorganizationcouldpayahostingfirmtohostthewebsiteortheirpublicserversonafirewall,butthiswouldaffectperformance.Soinstead,thepublicserversarehostedonanetworkthatisseparateandisolated. ADMZnetworkprovidesabufferbetweentheinternetandanorganization’sprivatenetwork.TheDMZisisolatedbyasecuritygateway,suchasafirewall,thatfilterstrafficbetweentheDMZandaLAN.ThedefaultDMZserverisprotectedbyanothersecuritygatewaythatfilterstrafficcominginfromexternalnetworks. Itisideallylocatedbetweentwofirewalls,andtheDMZfirewallsetupensuresincomingnetworkpacketsareobservedbyafirewall—orothersecuritytools—beforetheymakeitthroughtotheservershostedintheDMZ.Thismeansthatevenifasophisticatedattackerisabletogetpastthefirstfirewall,theymustalsoaccessthehardenedservicesintheDMZbeforetheycandodamagetoabusiness. IfanattackerisabletopenetratetheexternalfirewallandcompromiseasystemintheDMZ,theythenalsohavetogetpastaninternalfirewallbeforegainingaccesstosensitivecorporatedata.AhighlyskilledbadactormaywellbeabletobreachasecureDMZ,buttheresourceswithinitshouldsoundalarmsthatprovideplentyofwarningthatabreachisinprogress. Organizationsthatneedtocomplywithregulations,suchastheHealthInsurancePortabilityandAccountabilityAct(HIPAA),willsometimesinstallaproxyserverintheDMZ.Thisenablesthemtosimplifythemonitoringandrecordingofuseractivity,centralizewebcontentfiltering,andensureemployeesusethesystemtogainaccesstotheinternet. BenefitsofUsingaDMZ ThemainbenefitofaDMZistoprovideaninternalnetworkwithanadvancedsecuritylayerbyrestrictingaccesstosensitivedataandservers.ADMZenableswebsitevisitorstoobtaincertainserviceswhileprovidingabufferbetweenthemandtheorganization’sprivatenetwork.Asaresult,theDMZalsooffersadditionalsecuritybenefits,suchas: Enablingaccesscontrol: Businessescanprovideuserswithaccesstoservicesoutsidetheperimetersoftheirnetworkthroughthepublicinternet.TheDMZenablesaccesstotheseserviceswhileimplementingnetworksegmentationtomakeitmoredifficultforanunauthorizedusertoreachtheprivatenetwork.ADMZmayalsoincludeaproxyserver,whichcentralizesinternaltrafficflowandsimplifiesthemonitoringandrecordingofthattraffic. Preventingnetworkreconnaissance: Byprovidingabufferbetweentheinternetandaprivatenetwork,aDMZpreventsattackersfromperformingthereconnaissanceworktheycarryoutthesearchforpotentialtargets.ServerswithintheDMZareexposedpubliclybutareofferedanotherlayerofsecuritybyafirewallthatpreventsanattackerfromseeinginsidetheinternalnetwork.EvenifaDMZsystemgetscompromised,theinternalfirewallseparatestheprivatenetworkfromtheDMZtokeepitsecureandmakeexternalreconnaissancedifficult. BlockingInternetProtocol(IP)spoofing: AttackersattempttofindwaystogainaccesstosystemsbyspoofinganIPaddressandimpersonatinganapproveddevicesignedintoanetwork.ADMZcandiscoverandstallsuchspoofingattemptsasanotherserviceverifiesthelegitimacyoftheIPaddress.TheDMZalsoprovidesnetworksegmentationtocreateaspacefortraffictobeorganizedandpublicservicestobeaccessedawayfromtheinternalprivatenetwork. ServicesofaDMZinclude: DNSservers FTPservers Mailservers Proxyservers Webservers DMZDesignandArchitecture ADMZisa“wide-opennetwork,"butthereareseveraldesignandarchitectureapproachesthatprotectit.ADMZcanbedesignedinseveralways,fromasingle-firewallapproachtohavingdualandmultiplefirewalls.ThemajorityofmodernDMZarchitecturesusedualfirewallsthatcanbeexpandedtodevelopmorecomplexsystems. Singlefirewall: ADMZwithasingle-firewalldesignrequiresthreeormorenetworkinterfaces.Thefirstistheexternalnetwork,whichconnectsthepublicinternetconnectiontothefirewall.Thesecondformstheinternalnetwork,whilethethirdisconnectedtotheDMZ.VariousrulesmonitorandcontroltrafficthatisallowedtoaccesstheDMZandlimitconnectivitytotheinternalnetwork. Dualfirewall: DeployingtwofirewallswithaDMZbetweenthemisgenerallyamoresecureoption.ThefirstfirewallonlyallowsexternaltraffictotheDMZ,andthesecondonlyallowstrafficthatgoesfromtheDMZintotheinternalnetwork.Anattackerwouldhavetocompromisebothfirewallstogainaccesstoanorganization’sLAN. Organizationscanalsofine-tunesecuritycontrolsforvariousnetworksegments.Thismeansthatanintrusiondetectionsystem(IDS)orintrusionpreventionsystem(IPS)withinaDMZcouldbeconfiguredtoblockanytrafficotherthanHypertextTransferProtocolSecure(HTTPS)requeststotheTransmissionControlProtocol(TCP)port443. TheImportanceofDMZNetworks:HowAreTheyUsed? DMZnetworkshavebeencentraltosecuringglobalenterprisenetworkssincetheintroductionoffirewalls.Theyprotectorganizations’sensitivedata,systems,andresourcesbykeepinginternalnetworksseparatefromsystemsthatcouldbetargetedbyattackers.DMZsalsoenableorganizationstocontrolandreduceaccesslevelstosensitivesystems. Enterprisesareincreasinglyusingcontainersandvirtualmachines(VMs)toisolatetheirnetworksorparticularapplicationsfromtherestoftheirsystems.Thegrowthofthecloudmeansmanybusinessesnolongerneedinternalwebservers.TheyhavealsomigratedmuchoftheirexternalinfrastructuretothecloudbyusingSoftware-as-a-Service(SaaS)applications. Forexample,acloudservicelikeMicrosoftAzureallowsanorganizationthatrunsapplicationson-premisesandonvirtualprivatenetworks(VPNs)touseahybridapproachwiththeDMZsittingbetweenboth.Thismethodcanalsobeusedwhenoutgoingtrafficneedsauditingortocontroltrafficbetweenanon-premisesdatacenterandvirtualnetworks. Further,DMZsareprovingusefulincounteringthesecurityrisksposedbynewtechnologysuchasInternet-of-Things(IoT)devicesandoperationaltechnology(OT)systems,whichmakeproductionandmanufacturingsmarterbutcreateavastthreatsurface.ThatisbecauseOTequipmenthasnotbeendesignedtocopewithorrecoverfromcyberattacksthewaythatIoTdigitaldeviceshavebeen,whichpresentsasubstantialrisktoorganizations’criticaldataandresources.ADMZprovidesnetworksegmentationtolowertheriskofanattackthatcancausedamagetoindustrialinfrastructure. HowFortinetCanHelp TheFortinetFortiGatenext-generationfirewall(NGFW)containsaDMZnetworkthatcanprotectusers’serversandnetworks.ItcreatesaholeinthenetworkprotectionforuserstoaccessawebserverprotectedbytheDMZandonlygrantsaccessthathasbeenexplicitlyenabled.CheckouttheFortinetcookbookformoreinformationon howtoprotectawebserverwithaDMZ FAQs IsaDMZsafe? TheDMZnetworkitselfisnotsafe.Itenableshostsandsystemsstoredwithinittobeaccessiblefromuntrustedexternalnetworks,suchastheinternet,whilekeepingotherhostsandsystemsonprivatenetworksisolated. WhatisthebenefitofDMZ? ADMZprovidesanextralayerofsecuritytoaninternalnetwork.Itrestrictsaccesstosensitivedata,resources,andserversbyplacingabufferbetweenexternalusersandaprivatenetwork.Otherbenefitsincludeaccesscontrol,preventingattackersfromcarryingoutreconnaissanceofpotentialtargets,andprotectingorganizationsfrombeingattackedthroughIPspoofing. ShouldyouuseaDMZonyourrouter? ADMZcanbeusedonarouterinahomenetwork.TheDMZrouterbecomesaLAN,withcomputersandotherdevicesconnectingtoit.SomehomeroutersalsohaveaDMZhostfeaturethatallocatesadevicetooperateoutsidethefirewallandactastheDMZ.Allotherdevicessitinsidethefirewallwithinthehomenetwork.AgamingconsoleisoftenagoodoptiontouseasaDMZhost.Itensuresthefirewalldoesnotaffectgamingperformance,anditislikelytocontainlesssensitivedatathanalaptoporPC. QuickLinks FreeProductDemo Explorekeyfeaturesandcapabilities,andexperienceuserinterfaces. ResourceCenter Downloadfromawiderangeofeducationalmaterialanddocuments. FreeTrials Testourproductsandsolutions. ContactSales Haveaquestion?We'reheretohelp. AlsoofInterestTCPIPFileTransferProtocol(FTP)MeaningandDefinitionWhatDoesaFirewallDo? ×
延伸文章資訊
- 1What is a DMZ and how to configure DMZ host | TP-Link
- 2D-Link Technical Support
何謂DMZ? 如果您有一台電腦或設備,無法在DIR-619L下正常的執行Internet應用程式, 例如視訊、語音、監視系統、線上遊戲,必須一定要暴露在Internet下才可正常使用; ...
- 3DMZ 型Access Point 應用裝置的防火牆規則 - VMware Docs
DMZ 型Access Point 應用裝置需要在前端和後端防火牆設定某些防火牆規則。在安裝期間,Access Point 服務預設設為接聽特定網路連接埠。
- 4如何使用無線路由器的DMZ功能呢?(新logo) | TP-Link 台灣地區
1. 手動將您電腦的IP設定成固定IP,例如:192.168.0.100 · 2. 登入至路由器的網頁管理介面,請參閱: · 3. 至進階設定>NAT導向>DMZ 並啟用DMZ · 4. 輸入D...
- 5網站三層式架構的假三層做法請教 - iT 邦幫忙
例:查詢abc.com會從web導進ap處理. 因要使用這個模式來架設網站, 又要在不動程式的情況下完成,且都是win2012主機. 目前想到的是web(DMZ)這台架設iis reverse ...