Placing your servers outside the DMZ
Our Web, FTP (file transfer protocol) and DNS (domain name system) servers are placed in a DMZ (demilitarized zone) and allowed access from the outside zone on only certain ports. If I keep the servers in the inside zone and then allow outside access to the ports, what is the difference? We practically use the same commands in Cisco PIX firewall to allow the ports for access from lower security zones to higher security zones.
Good question. A good reason for placing these servers in a DMZ, rather than on the inside network, is to prevent attacks that may come from inside or outside your network. Studies have shown that a majority of security incidents are caused by insiders. Doesn't it make sense that you should have the same rules for inside and outside access? Another reason for segregating the servers to a DMZ is to help protect your internal network. For example, there are many attacks that now operate over Port 80, which you need open for your Web server. By putting the Web server in a DMZ, you could leave Port 80 open for the DMZ, but might be able to leave it closed for the internal network. If you had the server on that internal network, you couldn't close that port. You always want to deny everything and then allow as needed. By putting the servers in a DMZ, you have more granularity in applying that security axiom.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Infrastructure and network security
Web Security Tip: Anatomy of a hack
Featured Topic: Security products and tools reviews
This was first published in May 2003