How to create a DMZ area under different network security requirements

The definition of a security zone plays a vital role in establishing a secure network. The DMZ (demilitarized Zone) is the most important partitioning term in network security. Because the DMZ contains device properties, it separates it from other parts of the network. These devices are typically servers that need to be accessed from a public network and are not allowed to implement too stringent security policies in their area and thus need to be separated.

A DMZ is typically a subnet between a private network and a public network, from a public network connection to a DMZ device termination: These servers are often accessed by relatively secure private network devices.

There are many ways to create a DMZ, and how to create a DMZ depends on the security requirements of the network, and the most common methods for creating a DMZ are 4.

First, use a firewall to create a DMZ

This method uses a firewall with 3 interfaces to create a quarantine area, each of which becomes a member of the firewall interface. The firewall provides the isolation between the zone and the zone. This mechanism provides a lot of control over the security of the DMZ. Figure 1 shows how to use a firewall to create a DMZ a firewall can also have multiple interfaces, allowing the creation of multiple DMZ. This is the most common way to create a DMZ.

Figure 1 Creating a DMZ using a firewall

Second, create a DMZ between a public network and a firewall outside the firewall

In this configuration, the DMZ is exposed to the public side of the firewall. Traffic through the firewall, first through the DMZ. This configuration is not recommended in general, because there is very little control in the DMZ that can be used to control device security. These devices are actually part of the public area and they are not really protected by themselves. Figure 2 shows the way to create a DMZ.

Figure 2 The firewall creates a DMZ between the public network and the firewall

Third, outside the firewall and do not create a DMZ between the public network and the firewall

This type of configuration is similar to the second approach (shown in Figure 3), with the only difference being that the DMZ is not located between the firewall and the public network, but is an isolated interface between the edge routers that connect the firewall to the public network. This type of configuration provides very small security for devices in the DMZ network, but this configuration makes the firewall isolated from a DMZ network that has never been protected and vulnerable. The edge routers in this configuration can be used to deny access to all subnets from the DMZ subnet to the firewall. Also, isolated VLANs allow a second layer of isolation between the subnet on which the firewall resides and the DMZ subnet. This type of configuration is useful when a host located in the DMZ subnet is compromised and the attacker begins to use the host to further attack the firewall and the network.

Figure 3 Creating a DMZ outside the firewall and not between the public network and the firewall

Iv. creating a DMZ between cascading firewalls

In this mechanism (shown in Figure 4), two firewalls are stacked, and when accessing a private network, all traffic must go through two tiers of firewalls and the network between two firewalls is used as a DMZ. Because the firewall in front of the DMZ gives it a lot of security, its flaw is that the data flow between all private networks to the public network must go through the DMZ, and a compromised DMZ device can enable attackers to intercept and attack the traffic in different ways. You can set up a dedicated VLAN between firewalls to mitigate this risk.

Partitioning is an important concept in security design, and using a well-designed DMZ isolation method, when a device is compromised in a low security zone, the risk of damage to the equipment included in the zone is small.

Figure 4 Creating a DMZ between cascading firewalls