Demilitarized zone "DMZ is the abbreviation of", it is to solve after install firewall external network cannot access the internal network servers, and the establishment of a non safety system and safety system, the buffer zone between the buffer is located in the enterprise internal network and the external network of small network between area, in this small network area can be placed some must open server facilities, such as enterprise Web server, FTP server and BBS etc. On the other hand, through such a DMZ area, more effectively protect the internal network, because this kind of network deployment, than the average firewall program for the attacker is another hurdle.
introduction
Network equipment developers, use DMZ technology, to develop a corresponding firewall solutions. Say "DMZ structure model". DMZ is usually a filter subnet, internal network and the DMZ in between the external network constructed a safety.
DMZ firewall solutions to protect the internal network increases a security perimeter, usually think it is very safe. It provides a regional placed public server, which also can effectively avoid some Internet applications requiring public, and internal security strategy of contradictory situation happened. In the DMZ area often include fort host, Modem pool, and all public servers, but should notice is electronic commerce server can only used for users to connect, the real electronic business backend data need to be on internal network.
In this firewall scheme, including two firewall, external firewall against external network attack, and manage all external network to the DMZ visit. Internal firewall management DMZ for internal network access. Internal firewalls are internal network of the third security perimeter (front with external firewalls and fort host), when external firewall failure, it still can rise to protect the internal network function. And for the Internet and LAN internal by internal firewalls and visit the DMZ bastion host in control. In such a structure, a hacker must pass three separate areas (external firewall, internal firewalls and fort host) to get LAN. Attack difficulty greatly enhance the safety of network, the corresponding internal is strengthened, but investment cost is also the highest.
If your machine is not providing web site or other network services words don't setting. The DMZ is all the ports open your computer to the network.
A: what is the DMZ
Demilitarized Zone) DMZ (namely commonly known as the DMZ, and israelis and trust region corresponds, purpose is to change the WEB, E-mail, etc of external access allowed up in the port server alone, make whole needed to protect the internal network meet in trust region ports, don't allow any access, achieve internal and external nets separation, achieve user requirements. DMZ can be understood as a different from outside the special network connection network or within the DMZ regional, put up some excluding usually confidential information, such as the public server Web, E-mail, FTP, etc. So from the nets visitors can visit the DMZ service, but may not touch the company secrets or stored in a network such as private information, even if in the DMZ sabotage, also won't server to affect the confidential information network.
2: why need DMZ
In actual use, some hosts need foreign provides the service, in order to provide service, at the same time to effectively protect the internal network security, will these need to open the host and internal network equipment are separated by the numerous, according to the different needs, pertinently adopt corresponding measures so that they can provide friendly service in foreign maximum protection while the internal network. According to different resources provide different security levels of protection, can build a DMZ area, DMZ can provide network level for hosting environment protection, can reduce services for clients to distrust the dangerous sparked public information, was placed the best position. In a non DMZ system, internal network and host security usually don't like people expected solid, provide Internet services has produced many loopholes, make other host vulnerable to attack. But, through the configuration DMZ, we will need to protect Web application servers and database system in the connection, containing sensitive data, bear no responsibility host data access agency placed on such DMZ for application system security provided protection. DMZ make contain important data internal systems from direct exposure to external network and the attack, the attacker even if successful, still faces preliminary invasion DMZ setting new barriers.
3: DMZ network access control strategy
When planning a has the DMZ, we can clear network access relations between each network, can determine the following six access control strategy.
1. A network can access the nets
A network users clearly need to visit freely outside nets. In this strategy, firewall need to undertake the source address conversion.
2. The DMZ connection can access
This strategy is to facilitate the use and management of network users the DMZ server.
3. Outer net connection cannot access
Obviously, the network storage in a company's internal data is, these data don't allow the user to access the net.
4. The nets can access DMZ
The server is itself DMZ provide services to the outside world, so the nets must can access DMZ. Meanwhile, the DMZ need to visit by firewall net foreign address to the server completed the actual address convert.
5. The connection cannot access the DMZ
Obviously, if against this strategy, then, when the invaders DMZ, can seize further offensive to the important data connection.
6. DMZ cannot access the nets
This strategy also have exception, such as placing DMZ email server, it need access to the outer net, otherwise will not work properly. In a network, demilitarised zone (DMZ) refers to provide services for the isolated distrust system, its purpose is to segment the sensitive internal network and other provides access service network connection and separate, prevent the nets direct communication, network security to ensure.
No comments:
Post a Comment