Level 6

Aim of a DMZ

A DMZ adds a security layer to an already secured network

Before setting up a DMZ, you must control the security of your local area network LAN ("the kernel"). Indeed, the aim of a DMZ is not to secure a LAN which is not first secured ; the DMZ has to "complicate" the hacker's life giving an over-security to the LAN "kernel" (protocal rupture, alerts...)

When a security system is created for a LAN, it is said to be perfect... but even if you don't know their existence, some daemons can insidiously run, some unknown software flaws may appear. That's the reason why we expect a supplementary security layer in case the first would not be optimal.

Actually, a DMZ is the same than the typical security of an IP local area network (LAN), but it also adds, for exemple, one or several applicative servers (daemons) and the protocal rupture. In fact, it is a second LAN, and maybe more. With a DMZ, they are more network and applicative controls (they are not the same than into a typical security of IP LAN). The aim of a DMZ is to prevent a hacker from succeeding in passing through the second level of security ; some alerts will be set off before he arrives at this level.

Classical security of a LAN

LAN securitywith a DMZ

The machines included in the DMZ should have the total control on the flows between the LAN and the outside world.

Schema:
1. files are coming from the outside world
2. communication which will be at the origin of the file creation has been accepted by the 1rst firewall
3. a file is created into to the files of one of the DMZ applications servers
4. with the agreement of the 2nd firewall and of the distant applicative on the LAN, this file is going to be sent

Under no circumstances, a process initiated from outside world could never write directly on a LAN's machine. In this way, all traffic flows into the LAN are checked. The symmetrical is true (from the LAN to the internet or "unfriendly" outside).
Everything is forbidden, except the things clearly authorized.

Vivid example:
an apartment is secured with a reinforced door (security-level 1) ; to increase this security, a digicode is installed in the hall of the building (security - level 2). This security with level 2 only could be operational if the security with level 1 is correct - for example, if the security of level 1 is just a ranch door.... no utility!!!

If a shell boat has an escape, even if you add a second shell the problem will still exist. The escape will continue...