DMZ

I watched the news every single day when I was growing up. This was the time of the height of the Vietnam war, and the information presented on television was simultaneously interesting, depressing and confusing. Even as an eight year old child I somehow knew that there was something wrong with this war, some lack of will or direction or whatever. As I grew older and learned more, I understood the problem was not with the war or our soldiers (who fought bravely and often heroically), it was with the lack of goals and direction from above. A war cannot be won if the goals are not set correctly, if the leadership is weak and if the people are unwilling to pay the price for victory.

I could get into a long philosophical discussion about the Vietnam war, but that is not the purpose of this article. This article is about something called a DMZ or Demilitarized Zone, which is a term that I learned while watching the news so long ago.

In war, a DMZ is another term for "no man's land", which simply means the area between two armies which is not occupied by either army. It was popularized in World War I, and specifically referred to the land between the Allied trenches and the German trenches. This area was under constant bombardment and could be fired upon by either side. Thus, the name meant literally no man could survive in that area.

A DMZ is a little more formal than a no-man's land as it is usually intentionally negotiated between two warring armies. In Vietnam, this term applied to the area between North Vietnam and South Vietnam. No military (and generally little or no civilian) traffic was allowed in the zone. The idea was to give some separation between the militaries of the two nations to provide a little bit of stability and prediction. 

As another example, a DMZ currently exists between North and South Korea. This keeps the armies and population of the north separated from the armies and population of the south. It is understood that the DMZ is a little wild and occasionally minor clashes will occur within.

This term is also used in the context of a network, and it has a similar meaning to the military usage. In computing, a DMZ is set up to include systems which must have some exposure to the outside world, yet still require protection.

Typically, what ah organization will do is place a firewall between the internet and their web and email servers. These systems must communicate to the internet and thus must have some exposure to the outside world. 

Another firewall will be placed between these internet servers and the main corporate systems. The corporate systems may send information to the web and email servers within the DMZ, but the web and email servers MAY NOT send anything back to the corporate systems. If anything is needed from the exposed servers inside the DMZ, the corporate systems will go out and get it themselves.

This is by far the safest way to set up a DMZ, as it means it is difficult, if not virtually impossible, for an attacker to get from the DMZ into the corporate network. Since nothing is allowed IN, then nothing can get in.

Variations on the theme exist, of course. It is common to allow the SMTP email server within the DMZ to talk directly to the corporate email server, or to allow the web servers to populate databases directly on the corporate servers. Of course, each of these "holes" increases the possibility that someone can get into the corporate network.

The whole concept is very simple. An attacker might be able to compromize the web server or email system within the DMZ. They are, after all, exposed in one way or another to the outside world. However, Little of value and nothing that cannot be easily recovered should be placed on these systems. Thus, an attacker will find little to do and nothing to gain.

It is also common to place a honeypot within the DMZ. This is a system which looks important and useful, and thus attacks hackers in much the same way that a pot of honey attracts bears and children. THe purpose of a honeypot is to distract hackers and to gain information on their techniques, and perhaps even to gather evidence for criminal investigations.