Tactical Advice

4 Tips for Securing a Network DMZ

Follow this advice to lock down high-risk servers.
4 Tips for Securing a Network DMZ

A network DMZ likely houses some of the highest-risk servers in an organization: those that provide direct connections to the Internet and are at significant risk of attack. An organization should do everything it can to lock down the DMZ and protect it from threats.

The term “DMZ” comes from the military concept of a demilitarized zone, a neutral area that separates warring parties. Instead of separating armies, a network DMZ is designed to separate the general public — and hackers — from an internal network. In the most common DMZ scenario, a firewall separates the network into three segments: the internal network housing critical resources, the DMZ and the Internet. Any communication between servers in different zones must pass through the firewall and is subject to network security policies.

The typical DMZ houses web servers, e-mail servers, DNS servers and other systems that must have some level of accessibility from the outside world. The DMZ is set up so that an attacker who is able to compromise one of these servers is able to leverage that server to gain access only to other systems in the DMZ, isolating the internal network from the attack. For this reason, it’s critical to design added layers of security control around the DMZ.

Here are four tips to help ensure that a DMZ is secure:

1. Preserve isolation as much as possible.

Keep the rules that allow traffic between the DMZ and an internal network as tight as possible. Too often, administrators seeking to troubleshoot a problem create a rule allowing full access between a DMZ system and a back-end server on the internal network (or the entire internal network). This defeats the purpose of the DMZ and effectively merges it with the internal network. Instead, create specific firewall rules that allow communication only between specific servers on specific ports required to meet business requirements.

2. Practice good vulnerability management.

DMZ servers are exposed to the world, so take extra steps to ensure that they are fully patched to deal with the latest security vulnerabilities. Many security professionals recommend daily, automated vulnerability scans of DMZ systems that provide rapid alerts of newly detected vulnerabilities. In addition, consider patching DMZ systems on a much more frequent basis than protected systems to reduce the window of vulnerability between the time when a patch is released and its application to DMZ servers.

3. Use application layer defenses for exposed services.

Choose a network firewall that has strong application layer protection, rather than just a port filter. A firewall should have the ability to inspect the content of traffic and block malicious requests. One common example of this is screening inbound web requests for signs of embedded SQL injection attacks, preventing them from even reaching the web server.

4. Monitor, monitor, monitor.

The DMZ should be one of the major focuses of an organization’s network monitoring efforts. Use intrusion detection systems, security incident and event management systems, log monitoring and other tools to remain vigilant for signs of an attack.

DMZ systems are at the pointy end of the network security spear and are subject to external attack on a daily basis. For this reason, it’s important to take the time to ensure that they are among the most secure servers in an organization and are rigorously maintained.

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.


Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....


The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...


Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.