DMZ

The Importance of a DMZ

The DMZ prevents computers on the Internet from talking to computers inside the corporate network. Rather, computers on the Internet can only talk to specially locked down computers on the DMZ.

The exception to this rule is remote employees that connect to the corporate network through a VPN gateway.

The Limitations of a DMZ

The servers on the DMZ can be accessed from the Internet, making them more exposed.

Because VPN connections provide direct access, malicious users with the ability to guess someone's password, or create their own VPN account (by compromising a Domain Controller) will have unimpeded access to the internal network.

Vidder's DMZ Recommendations

Vidder strongly recommends using a DMZ for all services accessed from the Internet. Each server on the DMZ should be limited to hosting only one service so that the server can be fully hardened and locked down. In addition, Vidder recommends they be deployed as virtual machines so one physical machine can host multiple services and each can be re-imaged easily, if compromised.

All unnecessary software packages should be removed from these servers, configuration procedures should be put in place to harden them, and host-based firewall rules should be implemented to lock them down (these will be redundant to the physical firewall rules discussed below).

The Internet facing firewall should only open a single port to the IP address of the individual servers that offer a service on that port. All other connections should be denied.

The internal facing firewall should lock down all connections from the Internet to the internal network (except the VPN gateway).

Trusted Networking

Architecture

Applications

Industries

Overview

Internet Services

Perimeter Penetrating

Lateral Movement

Secure Clients/Servers

Data Security

Secure Networks

Secure Admins