DMZ Concepts

The use of a DMZ and its overall design and implementation can be relatively simple or extremely complex, depending on the needs of the particular business or network system. The DMZ concept came into use as the need for separation of networks became more acute when we began to provide more access to services for individuals or partners outside the LAN infrastructure.

One of the primary reasons why the DMZ has come into favor is the realization that a single type of protection is subject to failure. This failure can arise from configuration errors, planning errors, equipment failure, or deliberate action on the part of an internal employee or external attack force. The DMZ has proven more secure and offers multiple layers of protection for the security of the protected networks and machines.

It is also very flexible, scalable, and relatively robust in its capability to provide the protection we need. DMZ design now includes the ability to use multiple products (both hardware- and software-based) on multiple platforms to achieve the level of protection necessary, and are often designed to provide failover capabilities as well. When we are working with a DMZ, we must have a common ground from which to work.

To facilitate understanding, we examine a number of conceptual paths for traffic flow in the following section. Before doing so, however, let’s make sure we understand the basic configurations that can be used for firewall and DMZ location and how each can be visualized.

In the following figures, we’ll see and discuss these configurations. Please note that each of these configurations is useful on internal networks needing protection, and protecting your resources from networks such as the Internet. Our first configuration is shown in Figure 1.

Figure 1 shows the basic configuration that would be used in a simple network situation in which there was no need to provide external services. This configuration would typically be used to begin to protect a small business or home network. It could also be used within an internal network to protect an inner network that had to be divided and isolated from the main network.

This situation could include Payroll, Finance, or Development divisions that need to protect their information and keep it away from general network use and view. Figure 2 details a protection design that would allow for the implementation and provision of services outside the protected network. In this design, it would be imperative that rules be enacted to not allow the untrusted host to access the internal network.

Security of the bastion host machine would be accomplished on the machine itself, and only minimal and necessary services would be enabled or installed on that machine. In this design, we might be providing a Web presence that did not involve e-commerce or the necessity to dynamically update content. This design would not be used for provision of virtual private network (VPN) connections, FTP services, or other services that required other content updates to be performed regularly.

Figure 3 shows a basic DMZ structure. In this design, the bastion host is partially protected by the firewall.

Rather than the full exposure that would result to the bastion host in Figure 2, this setup would allow us to specify that the bastion host in Figure 2 could be allowed full outbound connection, but the firewall could be configured to allow only port 80 traffic inbound to the bastion host (assuming it was a Web server) or others as necessary for connection from outside.

This design would allow connection from the internal network to the bastion host if necessary, and potentially allow updating of Web server content from the internal network if allowed by firewall rule, which could allow traffic to and from the bastion host on specific ports as designated.

Figure 4 shows a generic dual-firewall DMZ configuration. In this arrangement, the bastion host can be protected from the outside and allowed to connect to or from the internal network. In this arrangement, like the conditions in Figure 3, flow can be controlled to and from both of the networks away from the DMZ.

This configuration and method is more likely to be used if more than one bastion host is needed for the operations or services being provided.

Now that we’ve had a quick tour of some generic designs, let’s look at the way network communications traffic typically flows through them. Be sure to note the differences between the levels and the flow of traffic and protections offered in each. Figure 5 illustrates the flow pattern for information through a basic single-firewall setup.

This type of traffic control can be achieved through hardware or software and is the basis for familiar products such as Internet Connection Sharing (ICS) and the NAT functionality provided by digital subscriber line (DSL) and cable modems used for connection to the Internet. Note that flow is unrestricted outbound, but the basic configuration will drop all inbound connections that did not originate from the internal network.

Figure 6 reviews the traffic flow in a network containing a bastion host and a single firewall. This network configuration does not produce a DMZ; the protection of the bastion host is configured individually on the host and requires extreme care in setup. Inbound traffic from the untrusted network or the bastion host is dropped at the firewall, providing protection to the internal network. Outbound traffic from the internal network is allowed.

Figure 7 shows the patterns of traffic as we implement a DMZ design. In this form, inbound traffic flows through to the bastion host if allowed through the firewall and is dropped if destined for the internal network. Two-way traffic is permitted as specified between the internal network and the bastion host, and outbound traffic from the internal network flows through the firewall and out, generally without restriction.

Figure 8 contains a more complex path of flow for information, but provides the most capability in these basic designs to allow for configuration and provision of services to the outside. In this case, we have truly established a DMZ, separated and protected from both the internal and external networks.

This type of configuration is used quite often when there is a need to provide more than one type of service to the public or outside world, such as e-mail, Web servers, DNS, and so forth. Traffic to the bastion host can be allowed or denied as necessary from both the external and internal networks, and incoming traffic to the internal network can be dropped at the external firewall.

Outbound traffic from the internal network can be allowed or restricted to the bastion host (DMZ network) or the external network. As you can see, there is a great amount of flexibility in the design and function of your protection mechanisms.