You are in: Articles / Smart Setups / How to Install a Demilitarized Zone for Your Servers

How to Install a Demilitarized Zone for Your Servers

This article represents a small guide to understanding the DMZ (Demilitarized Zone) concept and the ways to implement it on a server. It also includes useful tips on how to increase the security of such setups, with a special focus on the Linux/*NIX-type systems:

Common setups used for small and medium networks include a firewall that processes all the requests from the internal network (LAN) to the Internet and from the Internet to the LAN. This firewall is the only protection the internal network has in these setups and it handles any NAT (Network Address Translation), forwarding and filtering requests as necessary. In most cases, the firewall also runs public services accessible from the Internet, such as web services and e-mail services. Within such setups, the DMZ is thus installed on and limited, we may say, to the server.

Setting a DMZ
Why use a DMZ?
A DMZ aims to secure the internal network from external access. It does so by isolating the public services (requiring any entity from the Internet to connect to your servers) from the local, private LAN machines in your network.

The most common method of implementing such a divider is by setting up a firewall with three network interfaces installed. The first one is used for the Internet connection, the second for the DMZ network and the third for the private LAN. Any inbound connections are automatically forwarded to the DMZ because the private LAN does not run any services and is not connectible. Therefore, setting up the DMZ helps isolate the LAN from any Internet attacks.

How to set a DMZ?
First of all, you need to decide what services will run on each machine. The DMZ is generally on a different network segment, both physically and logically. This means that you need to use a separate machine to host the services you want to make public (such as DNS, web, mail etc.). From the connectivity point of view, the DMZ will be located on a different subnet than the LAN.

Furthermore, NAT should be provided for the computers on the LAN in order to enable the Internet access for the client hosts. The clients should also be enabled to connect to the servers in the DMZ.

Hardening the DMZ machines
Computers in the DMZ obviously need to be hardened as much as possible given the fact that they will be in the first line, right behind the firewall. Their position will prevent attacks on the LAN, but it may also increase the risk to get compromised.
Here is a list of methods that you can use to increase the security of your DMZ systems:

    * Disable all unnecessary services and dæmons;
    * Run services chrooted whenever possible;
    * Run services with unprivileged UIDs and GIDs whenever possible;
    * Delete or disable unnecessary user accounts;
    * Configure logging and check logs regularly;
    * Use your firewall's security policy and anti-IP-spoofing features.

The DMZ infrastructure can also be improved by adding multiple demilitarized zones with different security levels, depending on the number of systems and services being deployed on the network. These zones can be assembled in a tier-like structure so that the information is passed from one DMZ to another.

This type of network infrastructure is not the most secure way of protecting the private perimeter, but it is sometimes required. An example of such situation would be when a web server placed in a DMZ requires access to a database server over a secured port (and that port only) placed in a second DMZ. This database server could ultimately access some data found on the private LAN systems, if there is such a requirement. This way, the database is secured from public exposure, while keeping the web server accessible and the private LAN, isolated.

Note: The above-listed methods apply to Linux/*NIX-type systems only.

What to keep in mind?
The simplicity of the DMZ concept makes it very powerful and prolific. A DMZ can be considered a safe-guard, although it is not a security measure by itself. However, with a tight and well-thought network infrastructure, IDS (intrusion detection systems) and IPS (intrusion prevention systems), it can become a barricade against attackers and unwanted or unneeded traffic.

The article in original, as well as a graphical representation of a DMZ, available here:
Rating: 12345
Leave a comment

Note: all fields marked with (*) are required
Comments (0)
Close send to email window

Verification code

Already a member?
Blacklist monitoring alerts
sign up Signup for our real-time monitoring service and receive email notifications each time one of your IPs gets blacklisted.
Free Signup
Mail Server Operating System Poll

What OS do you use for your email server?
disabled next

How many mailboxes do you currently manage?
previous next

Would you like to comment upon the choosing of this particular OS?

DNS Tools
Get IP status, owner and location, obtain its corresponding hostname or check specific ports.
Ping Statistics
Reverse DNS Lookup
Whois Info (IP owner)
GeoIP Information
Check Port
Open Relay Test
Test if your mail server is an open relay for spammers.
Blacklist Checker
Check if your IP is listed in DNS based email blacklists (DNSBL)