We're building the future of Supply Chain Security. View Roles

07) Does your organisation place all publicly accessible services in isolated network DMZs (or separate subnets)?

August 31, 2022 Network and Cloud Security DMZ

Answer yes if your organisation hosts all publicly accessible services within a DMZ (a DMZ or demilitarised zone is a public facing subnet that acts as a barrier between your organisation's internal environment and the internet or other public network).

What is the control?

A demilitarised zone (DMZ) is a portion of a network that is segregated from the broader internal network of the organisation. It is typically used as a buffer zone between the internet and the internal network and typically hosts internet-facing services.

Why should I have it?

Even with network firewalls and web application firewalls, internet-facing systems are by far the most exposed of all. By definition, they must be exposed to the public internet which makes them the most reachable and most prone to attack by the wider world.

Having a DMZ network segment to host these systems separates them from other internal infrastructure. A DMZ will typically have a firewall between the Internet and the DMZ, and another between the DMZ and the internal network. This means that, should a publicly exposed host in the DMZ be compromised, it is still logically separated from the internal network and the attacker should not have access to the internal network and its systems.

It is effectively an additional layer of security designed to minimise any security liability your public-facing systems may present to your internal network by creating another perimeter between your wider internal network and your public-facing services.

How to implement the control:

Your organisation should have a policy dictating that all public-facing services be placed in a segregated network segment. This segment, unlike network segments hosting internal services, should always have direct outside connectivity and therefore be sandwiched between the internet (or other outside network) and your other internal networks so that traffic to and from the segment never crosses your internal network. The same logic applies to cloud hosted services as well.

There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Leave a public comment

Please do not submit your answer on the knowledge base.