DMZ Portion of the network between the border router and the non-public computing services
Contd. In computer networks, a DMZ (demilitarized zone) is a computer host or small network inserted as a "neutral zone" between a companys private network and the outside public network.
Perimeter Security Topologies Any network that is connected (directly or indirectly) to your organization, but is not controlled by your organization, represents a risk.. Include demilitarized zones (DMZs) extranets, and intranets continued…
Network Address Translation (NAT) Internet standard that enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic Provides a type of firewall by hiding internal IP addresses Enables a company to use more internal IP addresses.
Creating and Developing Your Security Design Control secrets - What knowledge would enable someone to circumvent your system? Know your weaknesses and how it can be exploited Limit the scope of access - create appropriate barriers in your system so that if intruders access one part of the system, they do not automatically have access to the rest of the system. Understand your environment - Auditing tools can help you detect those unusual events. Limit your trust: people, software and hardware
DMZ Security Firewalls Firewall functions Interaction of firewalls with data
Services Typically contains devices accessible to Internet traffic Web (HTTP) servers FTP servers SMTP (e-mail) servers DNS servers
DMZ Design Goals Filtering DMZ traffic would identify traffic coming in from the DMZ interface of the firewall or router that appears to have a source IP address on a network other the DMZ network number (spoofed traffic). the firewall or router should be configured to initiate a log message or rule alert to notify administrator
Tunneling Enables a network to securely send its data through untrusted/shared network infrastructure Encrypts and encapsulates a network protocol within packets carried by second network Replacing WAN links because of security and low cost An option for most IP connectivity requirements