Protecting Data with a Military-Style DMZ

For Allen Gwinn, senior IT director at Southern Methodist University in

Dallas, the question is not if his 15,000-user network will be exposed,

but how to control the damages when it happens.

Gwinn knows that as part of an educational institution, his network is a

prime target for hackers. At the same time, there is a lot of information

on his network that he must allow the public to access. To that end,

Gwinn relies on an old military technique to layer his network defenses

— he’s created a demilitarized zone, or DMZ.

DMZs are no-man’s lands created to ferret out the enemy. Anything in the

DMZ is negligible. In the enterprise, a DMZ is an area where the public

can access certain elements of the network, but not the back-end

mission-critical systems.

While firewalls, intrusion detection and intrusion prevention all are

good strategies for detecting unwanted traffic on a network, Gwinn says

the DMZ analogy provides a blueprint for bringing all these security

tools together for maximum protection.

”A DMZ is a frame of mind on how you’re going to treat things exposed to

the Internet,” Gwinn says. ”Everyone needs a plan for how you approach

having devices in an untrusted world.”

Rick Fleming, CTO at Digital Defense, a computer security firm in San

Antonio, Texas, says the trick is to put things in the DMZ that would not

lead to catastrophic results if they were jeopardized.

He recommends Web servers, e-mail servers, and other information stores

such as PDF silos. ”You have to ask, if someone were to gain root level

access to this Web server, what would be the net effect? The answer

should be that there is no net effect,” Fleming says.

He adds that a lot of companies want to be able to put information out to

the public, such as financial institutions. But they often make the

mistake of linking those public machines with back-end private networks.

He points to cases where banks offer public access to Web servers by

giving customers digital forms to fill out. ”Suddenly, a hacker can

access customer information in the back-end SQL database with simple

queries,” he points out.

Gwinn agrees.

”You don’t want someone to compromise a machine in your DMZ and then

come inside and compromise a machine within,” he says. ”Machines

classified as DMZ machines should have as little connectivity or as

limited a connection as humanly possible with machines on your trusted

network.”

As an example, Gwinn says he puts his e-mail server in the private

network, but his e-mail smart host in the DMZ to take in and send out

messages. He says putting a Microsoft Exchange Server in the DMZ is

foolish. ”The first thing that happens is someone comes along and finds

an exploit in the code and they exploit your server. They can then own

your network.”

IT managers should create a DMZ that takes these possibilities into

consideration. ”If the DMZ is set up correctly, it should limit outbound

connections in some way, as well,” Fleming says. ”If someone does

compromise a box, they are limited to where they can go and what they can

do. The server should not initiate outband connections, but people don’t

often think that way.”

Winn Schwartau, president of security consultancy The Security Awareness

Company, says the biggest thing to have in a DMZ is deception.

”Whoever is coming in there should not know whether it’s real or not,”

he says. ”The good guys will be fine and dandy but the bad guys will

not. You want to create a hall of mirrors.”

He recommends adding a honeypot to the DMZ where you can get information

on anyone trying to access your network. ”It allows you to spoof the bad

guys and collect data on the tools they are using,” he adds.

A DMZ does have its drawbacks, including the overhead on traffic. While

Schwartau recommends examining all inbound and outbound traffic, he

recommends using a variety of appliances to do this. ”Perform side tasks

— have your e-mail and virus checking on one box and your content

filtering on another. Make it as distributed as possible so you’re not

overloading the CPU,” he says.

Other considerations for a DMZ are the computation power required and

temporary data storage, which for large enterprises could become costly.

For this reason, some companies reject the DMZ blueprint. ”They would

rather deal with an occasional attack,” Fleming says.

Not Gwinn. He says the costs associated with a DMZ are well worth it.

”Sure, it raises your costs until you prevent your first network

security disaster. If you don’t know what a costly network is, just wait

until you have a major security compromise.”

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020