Only $35.99/year

Chapter 5 Devices and infrastructure

Terms in this set (168)

A buffer network (or subnet) that is located between a private network and an untrusted network, such as the internet.

A demilitarized zone (DMZ) is a buffer network (or subnet) that sits between the private network and an untrusted network (such as the internet). A DMZ typically contains publicly accessible resources, such as web, FTP, or email servers. Creating a demilitarized zone (DMZ) is part of a layered security approach.
Be aware of the following DMZ facts:
If the firewall managing traffic into the DMZ fails, only the servers in the DMZ are subject to compromise. The LAN is protected by default.
Packet filters on the firewall allow traffic directed to the public resources inside the DMZ. Packet filters also prevent unauthorized traffic from reaching the private network.
When designing the firewall packet filters, a common practice is to close all ports. Open only those ports necessary for accessing the public resources inside the DMZ.
To allow access to private resources from the internet, use one of the following approaches: Place a VPN server inside the DMZ. Require internet users to authenticate to the VPN server and then allow communications from the VPN server to the private network. Only communications coming through the VPN server are allowed through the inner firewall. Copy resources that are accessible to internet users to servers inside the DMZ. Even with authentication and authorization configured, this approach exposes those resources in the DMZ to internet attacks.
Typically, firewalls allow traffic originating in the secured internal network into the DMZ and through to the internet. Traffic that originates in the DMZ (low-security area) or the internet (no-security area) should not be allowed access to the intranet (high-security area).