It should also go without saying (but I’ll mention it anyway) proper physical security (i.e. With this definition of the DMZ in mind, we can now clearly determine which network resources should belong on the LAN, cloud (data center), or DMZ.
No lateral movement through the victim’s network is possible from a properly designed DMZ. And, when (not if) compromised by a threat actor only the resources in the DMZ are affected and impacted. In my own practice, I treat the DMZ network as an isolated and air-gapped network created and intended for the purpose of exposing and serving networked and computing resources (usually web & email servers and remote access gateways) to the world with the intention of allowing access to those services. For the purposes of this article, I will discuss hands-on experience with a DMZ and its setup in the context of a FortiNet FortiGate firewall appliance. These definitions and their implementations vary among manufactures. I think a good chunk of confusion over DMZ’s (among many others things) lie with the manufacturer’s definition of terms. As I redesign client networks, and have sampled IT personnel’s understanding and purpose of DMZs, I think it is in proper order to briefly go over the purpose of a DMZ and when it should be used.
0 kommentar(er)
