What is the real function and use of a DMZ on a network?
I read the article on Wikipedia describing what a DMZ (demilitarized zone) is on a network, but am still failing to grasp both how it is set up (ie: is it within the main network or sequestered away?) and what its benefits and uses are. Can anyone explain to me why I'd like to have a DMZ on my network, given the following setup:
- I have around 10 client computer devices on the network, some of which host SSH.
- I have a single server which hosts SSH, HTTP, and a few other publicly accessible services.
For this given use-case, how would I plug in a DMZ, and what would be the benefits?
Reasons why you want a DMZ and the benefits it offers. The general idea is that you put your public faced servers in the "DMZ network" so that you can separate them from your private, trusted network. The use case is that because your server has a public face, it can be remotely rooted. If that happens, and a malicious party gains access to your server, he should be isolated in the DMZ network and not have direct access to the private hosts (or to a database server for example that would be inside the private network and not on the DMZ).
How to do it: There are several ways, but the 'book example' is by utilizing two firewalls (of course you can achieve the same result with one firewall and smart configuration, although hardware isolation is nicer). Your main firewall is between internet and the server and the second firewall between the server and the private network. On this second firewall, all access from the server to the private network ideally would be forbiden (of course it would be a statefull firewall so if you initiate a connection from the private network to the server it would work).
So, this is a fairly high level overview of DMZ. If you want more technical details please edit your question accordingly.
Quick question! Can a DMZ virtual machine could technically exist without a PUBLIC IP? or does this question make no sense (eg: if it doesn't become a DMZ machine unless it has a public IP etc)
Absolutely makes sense, and extremely common. For example a Database would exist in the DMZ for your web server in the DMZ that is publicly accessible. But that database would be shielded from remote public connections, and only people on the trusted private network could reach the database.
Of course I can only add to John's answer and here it is:
You separate the DMZ from the rest of the network both in terms of IP routing and security policy.
You identify your network areas. Internal: critical systems; DMZ: systems you can afford to be "exposed", systems you want to host services to the outside world, e.g. your SSH hosts; External: the rest of the world.
You set up these separate areas on your network architecture.
Your firewalls/routers are then configured to allow direct connections from the outside world only to the DMZ. Correspondingly, your internal systems should be able to connect only to the DMZ and access the outside world via HTTP, application proxies, mail relays etc. there. Your firewall rules should reflect these decisions by blocking the corresponding traffic directions/IPs/ports: e.g. inward allow only ports for services operating in the DMZ etc.
Ideally you should configure any services exchanging information between network areas (internal, DMZ, external) to be initiated FROM the most secure network segment TO the less secure areas, e.g. If you need to transfer files to "inside" hosts have the inside systems initiate the transfer (have the client role, rather than the server role).
In pc networks, a zone (demilitarized zone) may be a physical or logical sub-network that separates an inside native space network (LAN) from different untrusted networks, sometimes the net. External-facing servers, resources and services are placed within the zone so that they ar accessible from the net however the remainder of the interior computer network remains unreached. This provides an extra layer of security to the computer network because it restricts the power of hackers to directly access internal servers and information via the net.