| |
Firewall Testing About VESARiA |
|
|
3.8 What is a DMZ, and why do I want one?
``DMZ'' is an abbreviation for ``demilitarized zone''. In the context of
firewalls, this refers to a part of the network that is neither part
of the internal network nor directly part of the Internet. Typically,
this is the area between your Internet access router and your bastion
host, though it can be between any two policy-enforcing components of
your architecture.
A DMZ can be created by putting access control lists on your access
router. This minimizes the exposure of hosts on your external LAN by
allowing only recognized and managed services on those hosts to be
accessible by hosts on the Internet. Many commercial firewalls simply
make a third interface off of the bastion host and label it the DMZ.
The point is that the network is neither ``inside'' nor ``outside''.
For example, a web server running on NT might be vulnerable to a
number of denial-of-service attacks against such services as RPC,
NetBIOS and SMB. These services are not required for the operation of
a web server, so blocking TCP connections to ports 135, 137, 138, and
139 on that host will reduce the exposure to a denial-of-service
attack. In fact, if you block everything but HTTP traffic to that
host, an attacker will only have one service to attack.
This illustrates an important principle: never offer attackers more to
work with than is absolutely necessary to support the services you
want to offer the public.
|
 |
Vesaria
3640 Fords Lane, Suite D
Baltimore, MD 21215
443 - 501 - 4044
|
