Hacker attack and defense: how to secure DMZ

When talking about DMZ, we have gone through a long road to DMZ design. If your organization needs DMZ, it is no longer a problem, the question now is how to design a secure DMZ.

In the field of computer security, DMZ is a physical or logical subnet that hosts services provided by organizations to external users and is responsible for exposing them to larger users, untrusted network-generally refers to the Internet. The original DMZ design was to create a simple subnet independent from the internal network, and all services to be open to the Internet will be thrown into this subnet.

Nowadays, many DMZ designs are like designing transportation tools on roads. For example, the most important thing to design trucks that transport goods is to minimize the transportation cost, economy cars are designed to save money, while precision cars are designed to make friends of buyers jealous. the DMZ design is the same as the design of cars, despite various possible changes, but they all have the same purpose.

We use thousands of network names today, but they are basically inseparable from internal networks, external networks and DMZ. They may be called partner networks, supplier networks, internal DMZ, or security zones, in fact, they are all DMZ mixed with various devices, connections, and risks. BKJIA Editor's note: If you have watched the movie, you will find that the work of network designers is similar to that of dreamers.

DMZ design goals

If you ask 10 network architects how to design DMZ, you may get 10 completely different answers. Although changes will increase the fun of life, as a special industry, we should follow some recognized practices in the DMZ design field.

The core principle of DMZ design is to isolate devices, systems, services and applications based on risks. The ultimate goal is to isolate risks. When a device or system is hacked, this can effectively protect other devices or systems from being implicated. Apart from risk-based isolation, the other four common DMZ design methods are: Operating System isolation and data-based isolation, isolated by trust level and by business department.

If you understand audit and compliance requirements, you will find that there are more and more technical design requirements. In some new requirements, we find that you need to isolate Web and applications from databases, this is a good idea. In addition, we also find that many organizations want to unify the use of servers. For example, Web servers cannot be used as DNS servers at the same time.

Four levels of DMZ Design

We divide the DMZ design into four levels. The first level is the simplest design, and the next level can provide more fine-grained security control. When we want to build a basic DMZ, we usually start from the firewall of a single network segment. In our DMZ Design book, we call it a level-1 design, if the number of servers that need to be opened to the Internet is small, this design method can handle it, but if you want to do e-commerce transactions, you must use a more advanced design method.

Many designers make the same mistake. They put the Web server and Application Server in DMZ and the database in the internal network. This design is actually the least secure, because database attacks become more targeted, If you deploy them in the internal network, you need more complex design. Internal attacks are more dangerous. Level 2 DMZ Design

The second-level DMZ design may include multiple DMZ networks. Compared with the first-level design, it has been improved in many aspects. It allows control and isolation to write communication rules between each DMZ, first, you need to put Web and application services, databases, identity authentication services, VPN, partner connections, email and mobile services in an independent DMZ, in today's network environment, this approach is feasible. Most firewalls can easily process dozens of interfaces, and each interface can support multiple VLANs.

Three-Level DMZ Design

A common problem encountered in the design of level 2 DMZ is that firewall rules are too tolerant and devices that should not be open to Internet access are opened. The correct solution is to use two firewalls and one internal firewall, an External Firewall is called a three-level design. DMZ is placed between firewalls based on access restrictions. Inbound Internet access allows access to the external DMZ through the external firewall, it is not directly routed to a device in the internal DMZ protected by the internal firewall. The internal network can communicate with the internal DMZ, but cannot communicate with the external DMZ.

The third-level DMZ is designed to use two firewalls to effectively isolate Internet connection devices and the services they need using their own policies, most security teams can quickly understand the access rules between the external DMZ and the internal DMZ. The most tempting thing is to create rules that allow inbound Internet access from DMZ to the internal network, of course, this should always be disabled. All required services should be put into DMZ and internal networks should never be exposed.

Unfortunately, this restriction is often broken because IT teams usually lack coordination or effective communication, and new applications are often in a hurry to deploy without considering the security factors, network Complexity and other factors cause organizations to create key services on their internal networks, which is very dangerous. Level 4 DMZ Design

The four-level DMZ design is more complex. The four-level design usually needs to deploy firewalls in pairs at various network boundary locations to distribute DMZ between these firewalls and isolate them based on the metrics you choose, most designers like to isolate services or functional groups, and some prefer to isolate them based on trust levels.

Best practices require building an independent firewall stack based on service level agreement (SLA) and data classification. You can create a completely independent firewall stack for the PCI Security Standard, service Isolation firewall for users (such as Web browsing, FTP, email, patching, etc.), Independent firewall for commercial services, when commercial services are put into DMZ through SLA, 90%, 98% and 99.9% are three of the best goals. Designing DMZ Based on SLA can simplify DMZ management and reduce service interruption.

Summary

Finally, we should be as strict as possible in the planning and design phases. Once DMZ is launched, it will be troublesome to fix the major vulnerabilities in the design, implementing rigorous surveys built into the Organization will help to enhance communication with other stakeholders, whether they are other IT staff, business owners, partners or management staff, they will think that you are a well-considered risk manager and strategic thinker. Your company's image has suddenly increased. At the same time, perhaps the most important thing is, you will receive more valuable feedback and suggestions. If a conversation has a major impact on your DMZ design, will you be afraid to try talking to someone?