DMZ
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hi, and welcome to this quick lesson on DMZs.
00:00
DMZ stands for demilitarized zone.
00:00
If you think about it in terms of military or countries,
00:00
it's an area,
00:00
usually on the border of a country,
00:00
there's an area on each side of the border where
00:00
you're not allowed to have any military facilities.
00:00
There's a treaty area where
00:00
each side can come together in a peaceful,
00:00
semi-trusted manner to have conversations.
00:00
It's the same concept in IT.
00:00
In a DMZ environment,
00:00
in IT and cyberspace,
00:00
it's essentially what you're doing is
00:00
you're exposing something from
00:00
your internal network that you need to expose to
00:00
the Internet or to expose to an untrusted entity,
00:00
and you need to allow people outside
00:00
the organization to access some services,
00:00
but you don't want to fully
00:00
trust those entities out there,
00:00
so you create this demilitarized zone
00:00
where you expose some services,
00:00
but on a very careful selective basis.
00:00
We use firewalls to build this.
00:00
The same concept that we
00:00
just discussed with segmentation,
00:00
this is just another form of segmentation,
00:00
it just happens right at the perimeter.
00:00
The way this looks is, if we've
00:00
got something out there on the Internet, for example,
00:00
that wants to connect to an internal database,
00:00
let's say we have database,
00:00
there's some data on it that we need to be
00:00
able to give people in the outside world.
00:00
Well, we don't want to expose
00:00
our entire database to the outside world
00:00
and let people make direct connections
00:00
because that's easily abused,
00:00
so we can build this DMZ environment.
00:00
We essentially can put a firewall on each side.
00:00
Its two firewalls with
00:00
a semi-trusted entities in the middle.
00:00
You've got untrusted on the left,
00:00
you've got semi-trusted in the middle,
00:00
and you've got trusted on the right.
00:00
You can do this with two physical firewalls or
00:00
you can create logical segmentation within
00:00
the same firewall where you've just simply got
00:00
one VLAN on one side and one VLAN on another side,
00:00
but you're logically separating the two.
00:00
Now when this request comes in,
00:00
once we've created this DMZ with these two firewalls,
00:00
we can have a policy in our firewall.
00:00
When that connection from the Internet comes in,
00:00
it comes in and it says, well,
00:00
we're not going to allow people to access our firewall,
00:00
our internal database directly,
00:00
but we're going to force them to
00:00
go through this other system.
00:00
It might be an application server in a tiered approach,
00:00
like we did last time.
00:00
In this case, the Internet connection comes
00:00
in and hits the DMZ system.
00:00
We can say, it's coming in on TCP 443,
00:00
and we've got a policy down there that
00:00
allows that particular flow to come in.
00:00
We've got another policy that will allow
00:00
that DMZ system to go to the internal database.
00:00
Again on, let's say 1433,
00:00
that's just a SQL query,
00:00
but it can be whatever, and
00:00
we've got that policy that allows it.
00:00
Anything else, so if something on the Internet try
00:00
to come in and connect directly to the database,
00:00
it would be denied or
00:00
if something tried to come in and connect to
00:00
that application server in the DMZ on
00:00
a different port in 443, it would be denied.
00:00
We can granularly control the access between
00:00
an outside entity and an internal service that
00:00
we want to expose with a DMZ architecture.
00:00
That's it for our quick lesson on DMZs.
00:00
Next up, we're going to go to Lesson 2.2.3,
00:00
where we're going to be talking about
00:00
IPS and IDS devices.
Up Next
Instructed By
Similar Content
