DMZ Network: Is It Necessary to Secure Company Resources?
by Erin Risk

DMZ Network: Is It Necessary to Secure Company Resources?

A DMZ network sits between a company’s secure perimeter and unsecured external networks such as the internet. Web servers and other externally-facing systems sit in the DMZ without compromising the security of internal resources.

This article will explain DMZs and why they have been valuable elements of traditional network security architectures. However, DMZs are not perfect security solutions — even if you follow best practices. We will explain how modern security solutions based on Zero Trust provide a better fit to the way businesses work today.

What is a DMZ network?

The concept of a demilitarized zone, or DMZ, describes methods for interfacing internal, protected networks with untrusted external networks. For decades, DMZs have been critical elements of the traditional secure perimeter paradigm. They provide more securable paths for data to flow between the protected network and the internet.

Often called a perimeter network, the DMZ is a subnetwork that exists outside the secure perimeter’s defenses but remains under network administrators’ control. External-facing resources are placed within the DMZ to be accessed from the internet. Network access control systems limit traffic flowing between the DMZ and the internal network.

The separation and control that DMZs provide make it easier to protect internal resources, provide access, and reduce the risks of cyberattacks. The benefits of a DMZ includes:

Minimize security breach impacts

DMZs limit the scope of successful security breaches. Should hackers penetrate a DMZ, they only have access to the resources within that particular DMZ. Network access controls constrain their ability to move laterally and prevent them from surveilling the internal network.

At the same time, a DMZ’s extra security measures give administrators a better chance to spot unusual network traffic and close the breach quickly.

Decoupling services from databases

Externally-facing systems often need access to proprietary databases and other resources:

  • Web servers need access to customer information.
  • Email servers need access to company directories.
  • API servers need access to backend databases.

However, placing these proprietary resources on a publicly-facing server is too risky. Hosting the front-end server within a DMZ while keeping sensitive back-end resources on the protected internal network avoids those risks.

Isolate less secure services

FTP and other services with few security controls can become vectors for cyberattacks. Placing FTP servers in their own DMZ reduces the risk that a successful attack can propagate to the internal network.

Internet access for internal users

Access control rules can force all internal use of the internet through a dedicated proxy server sitting in a DMZ. This gives administrators more visibility and control over the company’s internet usage.

Improve internal network performance

Frequently-accessed web servers impose high loads on networks. Placing these servers in a DMZ takes those loads off the internal network. Administrators can optimize the DMZ subnet to handle those loads more efficiently.

How do DMZ networks work?

One approach to building a business DMZ network uses a single firewall. Access control rules determine what traffic enters the DMZ, accesses the DMZ’s resources, and may enter the internal network. This architecture is simple to create and manage, but it is not the most secure option. If hackers breach the single firewall, they breach the secure perimeter.

A dual-firewall architecture increases security at the expense of added administrative complexity. In this approach, an external firewall controls access between the internet and the DMZ’s resources. An internal firewall, ideally from a different provider, controls the DMZ’s resources and the internal network. Should hackers breach the external firewall, they do not get immediate access to the internal network.

Note that the consumer-grade internet routers small businesses may use often have a DMZ feature. Any traffic not destined for specific hosts on the LAN gets routed to a host of a particular IP address. This consumer feature does not provide any of the security benefits of a true DMZ. The host is not on a separate subnet, and access between the host and the LAN is not controlled by a firewall.

What are the security risks of using a DMZ network?

A DMZ is as secure as its configuration, policies, and administration make it. Even then, the resources within the DMZ itself could compromise the network’s defenses. Here are some of the risks that DMZ networks may face:

Internet visibility

The resources hosted in a DMZ must be publicly visible so external users can access them. But with visibility comes discoverability. Hackers can use simple scanning tools to find the resources in a company’s DMZ, identify vulnerabilities, and plan their attacks.

DMZ network vulnerabilities

The infrastructure used to create the DMZ subnetwork must be configured and maintained correctly. Overly-permissive access control rules or unpatched firewalls can open vectors to attack. This is especially true for single-firewall DMZ architectures.

DMZ resource vulnerabilities

Many of the resources within a DMZ can introduce security vulnerabilities. Remote access technologies such as VPN or RDP, for example, have become common targets of cyberattacks. Web or email servers that are not sufficiently locked down can let hackers move laterally through the DMZ and eventually into the protected network.

DMZ’s declining relevance

The entire concept of a DMZ assumes a secure perimeter surrounding on-premises resources. But that is an outdated computing model that is less relevant to the way business works today. SD-WAN technologies, for example, bypass DMZs entirely as they link offices together over the internet. In addition, DMZs cannot protect resources hosted on cloud platforms or outsourced to cloud-based X-as-a-Service providers.

What are the best practices for securing DMZ networks?

For DMZ networks to provide both security and access, they need to be designed in ways that make any successful breach challenging to move laterally. Some best practices to follow include:

Segment DMZs

Using a single DMZ to host every externally-facing system increases the chances of a successful breach. It gives hackers more opportunities for lateral movement. Given time, they can compile information that could open a path into the protected network. And they may have that time since the complex traffic patterns in a multi-purpose DMZ make spotting unusual behavior more difficult.

Ideally, each externally-facing system should sit within a dedicated DMZ. The access control rules will be easier to specify. Traffic patterns will be easier to monitor. And hackers will have nowhere else to go.

Lockdown DMZs in dual-firewall architectures

Use firewalls from two different vendors to provide the most protection for internal networks. They are less likely to share vulnerabilities, and hackers must work harder to penetrate the internal network.

Set the minimum configuration firewalls, routers, servers, and other systems in the DMZ need to function. For example, all ports should be closed unless specifically required to pass the DMZ’s traffic.

Locking down the DMZ limits hackers’ options and makes their activity easier to discover.

Limit what hackers can learn

Do not use the internal network’s policies when defining the DMZ’s policies. Whatever hackers learn when observing how traffic in the DMZ is routed and secured should not give them insights into the internal network’s operations.

Monitor and audit

The sooner a security breach is discovered, the less damage hackers can do. Ensure that all traffic gets inspected and logged. Use intrusion detection systems in addition to each firewall’s security features.

Just because the DMZ was set up securely does not mean it remains secure. Conduct regular audits of access control rules, ports, and other potential vulnerabilities.

What alternatives exist for securing company resources other than DMZ networks?

DMZs are not the security solution they once were. Network architectures are no longer designed for physical, on-premises assets accessed by employees at their desks. Mission-critical resources may be hosted in the cloud or delivered over the internet by third parties. Complicating matters further, work-from-home and BYOD policies let more users access company resources away from the office.

In today’s more distributed environment, Zero Trust Network Access (ZTNA) provides a modern approach to securing proprietary resources. Rather than defending a secure perimeter, ZTNA defends each resource by assuming that every device, network, and user is already compromised. Explicit verification and least privilege access policies ensure that authorized users get the lowest level of access they need to do their work.

Twingate’s ZTNA solution provides the security of a DMZ no matter where users or resources are located. By applying software-defined perimeters, for example, Twingate can hide resources such as email servers from the public internet. Remote workers get direct access to the services they need. At the same time, the company’s attack surface shrinks dramatically as hackers lose discoverability.

Twingate Replaces DMZ Network Security

DMZ networks were effective solutions for their time. Putting a more secure subnet between the internet and a secure perimeter lets administrators focus their security efforts on the most likely vectors for attack. But modern network architectures are not so clean-cut. Secure perimeters are fading as more resources migrate to the cloud and more users work remotely.

Twingate lets companies replace their DMZ networks with ZTNA’s modern approach to remote access security. Contact Twingate today to learn more.

Featured Articles