|
- What is the real function and use of a DMZ on a network?
You separate the DMZ from the rest of the network both in terms of IP routing and security policy You identify your network areas Internal: critical systems; DMZ: systems you can afford to be "exposed", systems you want to host services to the outside world, e g your SSH hosts; External: the rest of the world
- firewalls - Public DMZ network architecture - Information Security . . .
My past designs are more complext than a front and back FW In an extremely highly secured ISP DMZ design, I architected FW, IPS, front VIP network, DMZ VIP Load Balancers, Private Farm networks, then the back-end Internal Facing FWs Each of these layers adds a unique additional barrier to entry for the hacker to get through
- databases - Whats the point of a DMZ if it has access to a DB inside . . .
The DMZ is a rule that says send these Other ports to my handler Again, if you have no need or desire to handle Other ports, you have no need for a DMZ rule The analogy gets complicated, but not yet broken, when the Internet facing device is a router firewall (yet another analogy)
- Firewalls vs DMZ - Information Security Stack Exchange
DMZ is a Logical or Physical Network DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, usually a larger network such as the Internet
- To DMZ, or not to DMZ - Information Security Stack Exchange
The DMZ is a containment area so that a subverted server does not gain immediate access to your most valuable data (which will be presumably kept in the inner network) Your AD and SQL servers are meant to be used only by machines from your network, not by machines from the outside, so you put them in the inner network
- Comparing Site to Site VPN with DMZ
Not sure why you would opt to put the server on the public Internet in a DMZ if the only access comes from within the company from site A or B Putting it in a DMZ on the public Internet would make it susceptible to security bugs in your DMZ firewall, configuration errors (which either are there from day one or get introduced through changes), etc
- Ideal system architecture for sensitive data access through DMZ
Reverse Proxy@DMZ -> API Gateway@DMZ -> App@Internal -> (Data Access Service@Internal) -> DB@Internal Basically, API gateways are simple applications with few dependencies, and thus offering a much smaller attack surface that the main app Whether a data access service is needed is questionable
- 关于DMZ的原理不解? - 知乎
dmz可以当做一个中间缓冲地带,介于外网和内网之间。 内网可单向访问,反过来从dmz访问内网则需要制定规则; 外网可以和dmz双向访问。 如果没有dmz,我们通常所采取的办法是把电脑防火墙的某个端口打开,以达到外网可以访问内内网设备的作用。
|
|
|