4 hours 25 minutes
Hi and welcome to this quick lesson on Dems is DMC stands for demilitarized zone. And if you think about it in terms of military or countries, it's an area on usually on the border of a country. There's an area on each side of the border
where you're not allowed to have any military facilities. You know there's a
sort of a treaty area where each side can come together in a peaceful, semi trusted manner. Toe have conversations. It's the same concept in I t in a D m Z environment in I t. In cyberspace.
It's essentially What you're doing is you're exposing something from your internal network that you need to expose to the Internet or to expose to an untrusted entity.
And you need to allow people outside the organization to
access some services. But you don't want fully fully trust those entities out there. So you create this demilitarized zone where you expose some services, but on a very careful, selective basis, and we use firewalls to build this the same concept that we just discussed with segmentation.
This is just another form of segmentation. It just happens right at the perimeter
the way this looks is if we've got something out there on the Internet, for example, that wants to connect to an internal database, right? Let's say we have database. There's some data on it that we need to be able to give people in the outside world. Well, we don't want to expose our entire database to the outside world and let people make direct connections because that's easily abused.
So we can build this d M Z environment,
and we essentially can put a firewall on each side. We put its two firewalls with a semi trusted entities in the middle. So you've got untrusted on the left. You've got semi trusted in the middle, and you've got trusted on the right.
You could do this with two physical firewalls, or you can create logical segmentation within the same firewall where you've just simply got one villain on one side and one B land on another side.
But you're logically separating the two
now, in this request comes in. Once we've created this d m Z. With these two firewalls, we can have a policy in our firewall, you know? And whenever this connection comes in, when that connection from the Internet comes in,
it comes in and says, Well, we're not gonna allow people to access are firewalled our internal database directly, but we're going to force them to go through this other system. It might be an application server
in a tear approach like we did last time. In this case, the Internet connection comes in and hits the D M Z system. We can say it's coming in on TCP for 443 and we've got a policy down there that allows that particular flow to come in.
We've got another policy that will allow that D. M Z system to go to the internal database again on, say, 14 33. That's just a sequel query. But it could be whatever, and we've got that policy that allows it
anything else. So if something on the Internet tried to come in and connect directly to the database, it would be denied. Or if something tried to come in and connect to that application serving the D M Z on a different port than 443 it would be denied. So weaken gradually control
the access between an outside entity and an internal service that we want to expose with a D M Z architecture.
That's it for a quick lesson on Dems is next up. We're gonna go to lessen 22.3 where we're gonna be talking about I ps and I DS devices.