Networking / Beginners

Defensive Security Through a DMZ

A DMZ, or demilitarized zone, is a concept of protection. A DMZ typically defines where you place servers that access the Internet. In other words, a Web server or mail server is often set up in a DMZ. This allows any Internet user to access the allocated resources on the server, but if the server becomes compromised, a hacker will not be able to use the "owned" computer to search out the rest of the network. Technically, a DMZ is actually its own little network, separate from the internal network, and separate from the Internet.

A firewall will often protect the DMZ from external threats. However, because the server must communicate to the outside world, the firewall will be configured to ignore many types of connections. In addition to isolating the servers, the DMZ is often set up to be easily accessible to internal network users. This is accomplished by the firewall hardware and software, which usually comes with a port set aside just for such a DMZ. For example, NetScreen has three ports: one for the Internet connection, the second for the internal connection, and the third for a DMZ into which a hub or switch can be connected to allow multiple servers.

This same port could be used to connect an access point, which is really nothing more than a wireless hub/switch. By doing this, you are basically placing the WLAN in a semi-trusted zone that is expected to be attacked by hackers. By operating with the mentality that your WLAN could already be owned, you can more appropriately plan who and what you allow to access the internal network. However, while this type of protection can help protect internal resources, it will not protect the wireless network users. Therefore, the DMZ should be just one part of your wireless security plan.

[Previous] [Contents] [Next]