Maxim_Kazmin - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Do DMZ networks still provide security benefits for enterprises?

DMZ networks were once widely used by enterprises, but are they still common today? Expert Judith Myerson explains why DMZs may be a good security option for some organizations.

Setting up DMZ networks used to be common practice, but I rarely hear about them being used anymore. Is it still...

a good practice? Are there better alternatives, like using virtual machines (VMs), or do DMZ networks still provide value?

You rarely hear about a DMZ subnetwork of a local network for a good reason. Hackers love to grab media attention with their successes in breaching a corporate or government network, such as the United States Office of Personnel Management. However, DMZ networks are often isolated and separated from the rest of the enterprise infrastructure and, therefore, are thankfully overlooked by attackers. To protect their servers against external network intrusions, organizations have used DMZ networks to separate specific portions of their crucial infrastructure.

The servers most vulnerable to being attacked, such as email, web and domain name system (DNS) servers, which are exposed to the internet, are placed in the DMZ. The DMZ started as a physical network and has evolved into a virtual one in order to better protect these IT assets (DNS servers in particular have come under fire from hackers and cybercriminals recently).

Another reason you may hear less about DMZ networks today is the increase in use of isolated VMs, as opposed to creating a physical DMZ network. However, this doesn't mean DMZs networks and VMs can't be connected.

To create a DMZ, two firewalls are needed between servers. The front-end firewall (perimeter firewall) allows traffic from the internet to the DMZ. The back-end firewall (internal firewall) permits traffic from the DMZ to the organization's internal network. Local users can still access the servers inside the DMZ networks. But the DMZ will not provide much, if any, protection against internal network attacks, such as email spoofing.

Other alternatives, like using VMs inside or outside the DMZ, on premises, or in the cloud, aren't necessarily better options than a DMZ network. A hypervisor is needed to run VMs; if the hypervisor is not properly set up, it can become compromised. The attacker, for example, could obtain passwords to gain access to all of the organization's VMs.

In addition, hypervisors can have catastrophic vulnerabilities, just like any other piece of software, and such a hypervisor flaw could potentially put an entire cloud environment at risk. Perhaps the best way to mitigate this risk is to apply hypervisor security updates and then reboot the cloud instances, though this can be disruptive for cloud clients.

DMZ networks are a good practice so long as your organization updates software for physical or virtual machines, audits DMZ configurations, and assigns proper user roles. Always make sure a DMZ standby is ready to take over for the primary DMZ if the primary system is compromised.

Next Steps

Find out how Xen hypervisor flaws affected public clouds

Read more on how read-only domain controllers benefit DMZs

Learn why data obfuscation techniques can strengthen network security

This was last published in December 2016

Dig Deeper on Enterprise network security