To provide different levels of security protection for different resources, consider building an area called the "demilitarized Zone" (DMZ). A DMZ can be understood as a special network area that differs from the extranet or intranet. In the DMZ, there are common servers that do not contain confidential information, such as Web, Mail, FTP, and so on. This allows visitors from the extranet to access the services in the DMZ, but it is not possible to reach the company secret or private information stored in the intranet. Even if the server in the DMZ is compromised, it does not affect the confidential information in the intranet.
When planning a network with a DMZ, we can identify the access relationships between the various networks and determine the following six access control policies.
1. Intranet access to external network
The intranet users obviously need free access to the extranet. In this strategy, the firewall requires a source address translation.
2. Intranet access to DMZ
This policy is designed to facilitate the use and management of servers in the DMZ by intranet users.
3. External network cannot access intranet
It is clear that the intranet is the company's internal data, which does not allow users to access the extranet.
4. External network access to DMZ
The server in the DMZ itself is to provide services to the outside world, so the extranet must be able to access the DMZ. At the same time, the external network access to the DMZ requires a firewall to complete the external address to the server's actual address conversion.
5.DMZ Cannot access intranet
Obviously, if you violate this strategy, when intruders take the DMZ, they can further attack the important data on the intranet.
6.DMZ cannot access the extranet
There are exceptions to this policy, such as the need to access the extranet when a mail server is placed in the DMZ, otherwise it will not work properly.
==============================
What is "DMZ".
That is, the intranet and the external network can not directly access the area, more than to connect the WWW server and other public servers
is a special network for external users to access the internal network settings.
The DMZ means the military containment area. The DMZ is meant to be a computer, that is, an area that is located between the extranet and the intranet and is a buffer domain. Some of the businesses that are typically placed in the DMZ are exposed to external services, such as Web servers, FTP servers, and so on.
The DMZ area is set up to better maintain the network security of the enterprise. Because for the attackers, there is one more layer.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.