That doesn’t mean what you think it does Part 2 – DMZ

Far too frequently the term DMZ is being used for something that is not a DMZ. This creates confusion and weakens security in organizations trying to do just the opposite.

I don’t entirely understand this misuse of the term beyond decades of watering down of the meaning. A network DMZ comes out of the military jargon Demilitarized Zone which is a fair place to start when trying to understand the traditional purpose.

A network DMZ quite simply is an untrusted network that holds company assets. These assets should be hardened hosts (bastion hosts) that are expendable when they are breached and hold no data of more importance than can afford to be lost.

The classic DMZ sits outside the network firewall directly on the Internet. A more common modern approach is a separate network that allows inbound connections from untrusted sources but does not have any access to the more trusted internal network.

In some cases, we also use internal DMZs. These internal networks hold all the resources needed for a specific application and may allow permissive inbound access but no access to other company resources from within the DMZ. An example of this would be an outdated application that is needed by the business for historical records but can no longer be sufficiently protected to allow it to be on the same network as other systems. Another example might be an untrusted applications, such as an HVAC system, that is used for services independent of the rest of the business.

The important issue in all of these cases is that the DMZ has no access into a more trusted network such as the generic server LAN or workstations LANs. What I hear people talk about across every type of business and industry is a DMZ that only allows access to X application in the LAN. A common example might be allowing access to an internal SQL server that holds both public data and proprietary data. The issue is that once that SQL server is accessible from the DMZ it is no longer a protected system and becomes the doorway between the DMZ and more protected networks.

The only traffic that should enter from a DMZ is traffic that would also be allowed from an untrusted network such as the Internet. This leaves a great deal of flexibility depending on the security posture of the company. Not that I would endorse this, but if your company allows direct inbound access to SMB shares on the LAN from the Internet there is no harm in a DMZ accessing the same. On the other hand, if the mere idea of exposing SMB to the Internet worries you, and it should, then allowing the same access from a DMZ should also worry you.

There may be times where the risk of allowing access from a less trusted network segment is acceptable, especially for internal segmentation. Please don’t call the segment a DMZ. It’s a segmented network or an application network. Network segmentation is a good thing. Using terminology correctly will help us all understand the conversation without having to explain a lot of exceptions of why what we say is not actually what we mean to say.