The DMZ as a corporate liability

'As more and more sensitive data from the internal network is duplicated in the DMZ, this perimeter network designed to be a buffer zone has become a prime target for hackers'

 The DMZ as a corporate liability

 

Initially intended for housing non-confidential, static information for external access, the DMZ has become crowded with servers containing highly sensitive enterprise data including design files, customer personal data, and financial information.

This data deluge is a result of an increase in online collaboration and more employees working on the go, often using their own mobile devices.  A recent industry study by Citrix found that 94 percent of firms had a BYOD (bring your own device) policy enabling employees to use their own personal devices to access sensitive company data.  Another study by IDC shows that by 2015 the mobile worker population will reach over 1.3 BN.

As more and more sensitive data from the internal network is duplicated in the DMZ, this perimeter network designed to be a buffer zone has become a prime target for hackers.  Many enterprises have just settled with the risks, without realising that there is another alternative.

Today’s configuration of the DMZ

The fundamental security vulnerability in most DMZ implementations is that the DMZ’s network ports remain open to the Internet. As a result, they expose the entire network to external attacks. Hackers relentlessly scan networks for open ports to exploit in order to gain access to the internal network from which they can steal data.

>See also: Cyber security: do you know where you stand?

Although firewalls and proxy servers monitor and filter all incoming communications, the fact that the ports remain open makes the entire network susceptible to external attacks.

Malicious code, which continuously evolves and becomes ever more sophisticated, can be embedded in legitimate communications in order to exploit design, implementation and configuration weaknesses and circumvent these monitoring and filtering mechanisms.

Even if all security mechanisms are kept current and validated vigilantly, the reactive nature of identification of threats and creation of counter-measures creates windows of opportunity for external threats to defeat the network.

In addition to security vulnerabilities, the DMZ network configuration also imposes a costly operations burden on the enterprise. To use the DMZ network to protect against external threats, data and services in the internal network must be duplicated in the DMZ.

This duplication requires additional hardware and software, as well as perpetual replication processes to ensure that data is synchronised between the internal network and the DMZ. This additional hosting and synchronisation requires a complex layer of data and network operations which can be complicated and costly to manage.

>See also: NSA leaks cause IT security execs to rethink administrator privileges 

The Streamlined DMZ

By utilising two nodes, one on each side of the firewall, requests can be received and data can be streamed rather than the traditional method of storing sensitive data in the DMZ.

The node external to the firewall acts as a front-end to all services published within the DMZ, ensuring that only legitimate session data can pass through into the LAN.   It can be deployed before the web/application front-ends, essentially replacing them completely or after the web/application front-ends providing an additional layer of defense within the DMZ and preventing any attacks from being generated from within the front-end servers.

The node internal to the firewall pulls the session data into the LAN from the external node and then passes the data to the destination application server. The internal nodes has a built-in firewall application which inspects and controls incoming traffic on the application layer to detect and mitigate attacks of viruses, Trojans, and malware both on clear channels and encrypted channels such as HTTPS.

Using this method there is no need to open inbound ports on the internal firewall. As a result, there is a complete blocking of any network or Layer 4 based attacks such as port scanning, ICMP scanning, and TCP based attacks. 

The external node does not run an application in order to handle incoming sessions, but utilizes instead listener technology making it impossible to hack into and take control of the external node to initiate attacks.

Before making any significant changes to the way enterprises store and transfer sensitive information, the role and architecture of the traditional DMZ has to be evaluated by each organisations’ IT and security team. However when appropriate, by deploying a streamlined DMZ, IT managers can provide improved security, while reducing the DMZ’s hardware and software footprint simplifying network management and business operations.

Comments (0)