Let's talk about some details when it comes to IT networks. In the Down to Business series, I want to introduce you to some more advanced topics in the IT world. It is my hope to increase your knowledge and interest in the field of IT while learning about all that goes on behind the scenes to make your Internet experience as seamless as possible.
For our first topic, let's talk about DMZs - why have one, what are they, where are they used, should I have one at home or in my office, etc. A DMZ, according to Wikipedia, "is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, usually a larger network such as the Internet." Large networks have a lot of key pieces that need a high degree of protection. These could include DNS servers, email servers, web servers, DHCP servers, routers, switches, SANs/NASs,/file servers, domain controllers, etc. A simple network in an enterprise sense doesn't exist! They are very complicated and must be heavily monitored to ensure they work properly and are administered securely.
Why the focus on security when discussing a DMZ you might ask? This is exactly what a DMZ is here for. In a military setting a DMZ (or demilitarized zone) is an area that doesn't belong to either party. Well, in the IT world, the DMZ does happen to belong to the organization hosting it but there is a difference - it is exposed to the outside world (carefully). For email servers, web servers, DNS servers, FTP servers - anything that is a normal attack target for hackers - there is a choice that would lead to keeping the internal network much safer - keep them out of the internal network. Think about the number of attacks that a web server faces on a daily basis; could you imagine this being inside an internal network where the rest of your precious files and devices live? No.
The DMZ lives to protect the internal LAN. Host a web server in the DMZ rather than hosting it internally to your LAN. You can place specific safeguards on the DMZ to keep it safe from hackers, but you can also have it exposed to the world so that people can access your website with ease. There are major types of DMZ configurations - the first has a single firewall and the DMZ logically placed outside of the physical network. This aids in network management and keeps costs down. The second implementation has 2 firewalls ordered FW-DMZ-FW-LAN. This leads to a higher level of protection and granularity at the expense of higher costs and maintenance.
As a home user, do you have the need for a DMZ? Can you even take advantage of a DMZ on a home router? The answers are maybe and yes kind of. As far using a DMZ, there are some routers out there (I'm thinking Verizon specifically) whose routers actually allow for a DMZ (it's a bit concocted and not truly a DMZ but it is close so we'll call it a DMZ). This would be the place to stick a hardened FTP server, a webcam, a printer, etc. These items might need to be accessed from the outside world, and rather than poking a bunch of holes in your firewall, you could place these items in a DMZ instead and keep the rest of your network safe. Now, this goes without saying, but make sure to keep these items well hardened. A DMZ is almost open Internet with these kinds of home routers, so make sure to not place your valuables or anything personal outside your internal LAN. You can definitely get by without having a DMZ, but why just get by? Enjoy your IT world!