What is the DMZ area, the function and principle of the DMZ area

Others 2020-10-14 18:27:08 views: null

1. Concept:
DMZ is a buffer between the non-secure system and the security system in order to solve the problem that users from the external network cannot access the internal network server after the firewall is installed. The buffer is located in the small network area between the internal network and the external network of the enterprise. In this small network area, some servers that must be public can be placed (such as corporate Web servers, FTP servers, forums, etc.); on the other hand, through such a DMZ area, the internal network is more effectively protected. Because of this kind of network deployment, compared with general firewall solutions, there is one more barrier for attackers from the external network.

The DMZ area can be understood as a special network area different from the external network and the internal network

In a local area network connected with a router, we can divide the network into three areas:
the LAN Area (internal network) with the highest
security level ; the DMZ area with the medium
security level ; and the Internet area (external network) with the lowest security level.
The three areas have different access strategies due to different tasks.

2. DMZ principle:
Part of the server host used to provide external services is divided into a specific subnet-DMZ. The host in the DMZ can communicate with the host in the same DMZ and the host in the external network, and the internal network The communication of the host computer will be restricted. This enables the host of the DMZ to be accessed by the internal network and the external network, and the internal network can prevent the external network from knowing it.

3. The space between the two firewalls is known as DMZ:
we have a network in the DMZ configuration, usually define the following access control policy in order to achieve shielding the DMZ:
1, the network can access the Internet
within Users of the Internet obviously need to freely access the external network. In this strategy, the firewall needs to perform source address translation.

2. The intranet can access the DMZ.
This strategy is for the convenience of intranet users to use and manage the servers in the DMZ.

3. The external network cannot access the internal network
. Obviously, the internal network stores the company's internal data, which is not allowed to be accessed by users on the external network.

4. The external network can access the DMZ
. The server in the DMZ itself is to provide services to the outside world, so the external network must be able to access the DMZ. At the same time, the external network access to the DMZ requires the firewall to complete the conversion from the external address to the actual address of the server.

5. The DMZ cannot access the intranet
. Obviously, if this strategy is violated, when the intruder compromises the DMZ, he can further attack the important data of the intranet.

6. The DMZ cannot access the external network.
There are exceptions to this policy. For example, when a mail server is placed in the DMZ, you need to access the external network, otherwise it will not work properly. In the network, the demilitarized zone (DMZ) refers to an isolated network segment that provides services for untrusted systems. Its purpose is to separate sensitive internal networks from other networks that provide access services, and prevent direct communication between the internal network and the external network. Ensure intranet security.

4. Service configuration:
1. The service provided by DMZ has gone through network address translation (NAT) and restricted by security rules to achieve the function of concealing the real address and controlling access. First, a clear network topology must be established according to the services to be provided and security policies, and the IP and port numbers of the application servers in the DMZ area and the data flow direction must be determined. Generally, the network communication flow direction is to prohibit direct communication between the external network area and the internal network area. The DMZ area can communicate with the external network area as well as the internal network area, subject to security rules.
Address translation

2. The communication between the server in the DMZ zone and the internal network zone and external network zone is achieved through network address translation (NAT). Network address translation is used to map one address domain (such as the private Internet) to another address domain (such as the Internet) to achieve the purpose of hiding the private network. The server in the DMZ zone maps to an internal network address when serving internally, and maps to an external network address when serving externally. When using static mapping to configure network address translation, the service IP and real IP must be mapped one by one, and both source address translation and destination address translation must be available

Guess you like

Origin blog.csdn.net/weixin_42563968/article/details/108789588
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com