Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

07) Does your organisation place all publicly accessible services in isolated network DMZs (or separate subnets)?

August 30, 2022
Network and Cloud Security
DMZ

Answer yes if your organisation hosts all publicly accessible services within a DMZ (a DMZ or demilitarised zone is a public facing subnet that acts as a barrier between your organisation's internal environment and the internet or other public network).

What is the control?

A demilitarised zone (DMZ) is a portion of a network that is segregated from the broader internal network of the organisation. It is typically used as a buffer zone between the internet and the internal network and typically hosts internet-facing services.

Why should I have it?

Even with network firewalls and web application firewalls, internet-facing systems are by far the most exposed of all. By definition, they must be exposed to the public internet which makes them the most reachable and most prone to attack by the wider world.

Having a DMZ network segment to host these systems separates them from other internal infrastructure. A DMZ will typically have a firewall between the Internet and the DMZ, and another between the DMZ and the internal network. This means that, should a publicly exposed host in the DMZ be compromised, it is still logically separated from the internal network and the attacker should not have access to the internal network and its systems.

It is effectively an additional layer of security designed to minimise any security liability your public-facing systems may present to your internal network by creating another perimeter between your wider internal network and your public-facing services.

How to implement the control

Your organisation should have a policy dictating that all public-facing services be placed in a segregated network segment. This segment, unlike network segments hosting internal services, should always have direct outside connectivity and therefore be sandwiched between the internet (or other outside network) and your other internal networks so that traffic to and from the segment never crosses your internal network. The same logic applies to cloud hosted services as well.

There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.