Join Lisa Bock for an in-depth discussion in this video Perimeter networks, part of IT Security Foundations: Network Security.
A perimeter network allows an organization to deploy public services such as email and web servers while isolating the internal network. Isolation occurs by configuring a demilitarized zone, or screen subnet, where the traffic is filtered by a firewall placed in between the outside world and the local area network. It's called a subnet because it is a separate network. Every interface on a router is a separate network. A DMZ is from the term demilitarized zone, an area between countries where only authorized parties are allowed.
To add another layer of security, a DMZ can be designed in a few ways. One way is, as we see it here, which is a multi-homed or three-legged firewall. A couple of concerns with this configuration. The firewall must be able to handle all traffic going to the DMZ as well as the internal network, and is essentially a single point of failure. A more secure approach is to use a DMZ with two firewalls. The web and mail servers are accessed by external as well as internal users, but they don't need to communicate with each other.
The DMZ is a great place to put a honey pot to track hacking attempts, along with placing essential services such as mail and web servers that must have a public interface. The front end firewall should be considered to allow traffic destined to the DMZ only. The back end, or internal firewall, should allow traffic from the DMZ to the internal network. If there is heavy traffic, load balancers can be used in the DMZ to reduce traffic on the main LAN while accessing the application servers.
In addition to having two firewalls, firewalled hardware from separate vendors is suggested, as this is an even more layered approach. Although our discussion focuses on perimeter networks, keep in mind the idea of a DMZ can be used inside the network as well, to provide isolation.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Implementing secure content management (SCM)
- Implementing unified threat management (UTM)
- Introducing VLANs
- NAT addressing
- Network sniffing
- Understanding common attack methods, such as password attacks
- Protecting clients with antivirus software
- Implementing physical security