Setting up DMZ networks used to be common practice, but I rarely hear about them being used anymore. Is it still...
a good practice? Are there better alternatives, like using virtual machines (VMs), or do DMZ networks still provide value?
You rarely hear about a DMZ subnetwork of a local network for a good reason. Hackers love to grab media attention with their successes in breaching a corporate or government network, such as the United States Office of Personnel Management. However, DMZ networks are often isolated and separated from the rest of the enterprise infrastructure and, therefore, are thankfully overlooked by attackers. To protect their servers against external network intrusions, organizations have used DMZ networks to separate specific portions of their crucial infrastructure.
The servers most vulnerable to being attacked, such as email, web and domain name system (DNS) servers, which are exposed to the internet, are placed in the DMZ. The DMZ started as a physical network and has evolved into a virtual one in order to better protect these IT assets (DNS servers in particular have come under fire from hackers and cybercriminals recently).
Another reason you may hear less about DMZ networks today is the increase in use of isolated VMs, as opposed to creating a physical DMZ network. However, this doesn't mean DMZs networks and VMs can't be connected.
To create a DMZ, two firewalls are needed between servers. The front-end firewall (perimeter firewall) allows traffic from the internet to the DMZ. The back-end firewall (internal firewall) permits traffic from the DMZ to the organization's internal network. Local users can still access the servers inside the DMZ networks. But the DMZ will not provide much, if any, protection against internal network attacks, such as email spoofing.
Other alternatives, like using VMs inside or outside the DMZ, on premises, or in the cloud, aren't necessarily better options than a DMZ network. A hypervisor is needed to run VMs; if the hypervisor is not properly set up, it can become compromised. The attacker, for example, could obtain passwords to gain access to all of the organization's VMs.
In addition, hypervisors can have catastrophic vulnerabilities, just like any other piece of software, and such a hypervisor flaw could potentially put an entire cloud environment at risk. Perhaps the best way to mitigate this risk is to apply hypervisor security updates and then reboot the cloud instances, though this can be disruptive for cloud clients.
DMZ networks are a good practice so long as your organization updates software for physical or virtual machines, audits DMZ configurations, and assigns proper user roles. Always make sure a DMZ standby is ready to take over for the primary DMZ if the primary system is compromised.
Find out how Xen hypervisor flaws affected public clouds
Read more on how read-only domain controllers benefit DMZs
Learn why data obfuscation techniques can strengthen network security
Dig Deeper on Enterprise network security
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading