For Allen Gwinn, senior IT director at Southern Methodist University inDallas, the question is not if his 15,000-user network will be exposed,but how to control the damages when it happens.
Gwinn knows that as part of an educational institution, his network is aprime target for hackers. At the same time, there is a lot of informationon his network that he must allow the public to access. To that end,Gwinn relies on an old military technique to layer his network defenses– he’s created a demilitarized zone, or DMZ.
DMZs are no-man’s lands created to ferret out the enemy. Anything in theDMZ is negligible. In the enterprise, a DMZ is an area where the publiccan access certain elements of the network, but not the back-endmission-critical systems.
While firewalls, intrusion detection and intrusion prevention all aregood strategies for detecting unwanted traffic on a network, Gwinn saysthe DMZ analogy provides a blueprint for bringing all these securitytools together for maximum protection.
”A DMZ is a frame of mind on how you’re going to treat things exposed tothe Internet,” Gwinn says. ”Everyone needs a plan for how you approachhaving devices in an untrusted world.”
Rick Fleming, CTO at Digital Defense, a computer security firm in SanAntonio, Texas, says the trick is to put things in the DMZ that would notlead to catastrophic results if they were jeopardized.
He recommends Web servers, e-mail servers, and other information storessuch as PDF silos. ”You have to ask, if someone were to gain root levelaccess to this Web server, what would be the net effect? The answershould be that there is no net effect,” Fleming says.
He adds that a lot of companies want to be able to put information out tothe public, such as financial institutions. But they often make themistake of linking those public machines with back-end private networks.He points to cases where banks offer public access to Web servers bygiving customers digital forms to fill out. ”Suddenly, a hacker canaccess customer information in the back-end SQL database with simplequeries,” he points out.
”You don’t want someone to compromise a machine in your DMZ and thencome inside and compromise a machine within,” he says. ”Machinesclassified as DMZ machines should have as little connectivity or aslimited a connection as humanly possible with machines on your trustednetwork.”
As an example, Gwinn says he puts his e-mail server in the privatenetwork, but his e-mail smart host in the DMZ to take in and send outmessages. He says putting a Microsoft Exchange Server in the DMZ isfoolish. ”The first thing that happens is someone comes along and findsan exploit in the code and they exploit your server. They can then ownyour network.”
IT managers should create a DMZ that takes these possibilities intoconsideration. ”If the DMZ is set up correctly, it should limit outboundconnections in some way, as well,” Fleming says. ”If someone doescompromise a box, they are limited to where they can go and what they cando. The server should not initiate outband connections, but people don’toften think that way.”
Winn Schwartau, president of security consultancy The Security AwarenessCompany, says the biggest thing to have in a DMZ is deception.
”Whoever is coming in there should not know whether it’s real or not,”he says. ”The good guys will be fine and dandy but the bad guys willnot. You want to create a hall of mirrors.”
He recommends adding a honeypot to the DMZ where you can get informationon anyone trying to access your network. ”It allows you to spoof the badguys and collect data on the tools they are using,” he adds.
A DMZ does have its drawbacks, including the overhead on traffic. WhileSchwartau recommends examining all inbound and outbound traffic, herecommends using a variety of appliances to do this. ”Perform side tasks– have your e-mail and virus checking on one box and your contentfiltering on another. Make it as distributed as possible so you’re notoverloading the CPU,” he says.
Other considerations for a DMZ are the computation power required andtemporary data storage, which for large enterprises could become costly.
For this reason, some companies reject the DMZ blueprint. ”They wouldrather deal with an occasional attack,” Fleming says.
Not Gwinn. He says the costs associated with a DMZ are well worth it.
”Sure, it raises your costs until you prevent your first networksecurity disaster. If you don’t know what a costly network is, just waituntil you have a major security compromise.”