DMZ (DEMILITARIZED ZONE)

         DMZ (DEMILITARIZED ZONE)  

Definition of DMZ  :   DMZ (demilitarized zone) is a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network. 



------>  It prevents outside users from getting direct access to a server that has company data.

                                                     
                                                          (or)

----->  A computer or small sub network that sits between a trusted internal network, such as a corporate private LAN, (LOCAL AREA NETWORK) and an untrusted external network, such as the public Internet.




----->  Typically, the DMZ contains devices accessible to Internet traffic, such as Web (HTTP ) servers, FTP(FILE TRANSFER PROTOCOL) servers, SMTP (e-mail) servers and DNS (DOMAIN NAME SERVICE) servers. SMTP (SIMPLE MAIL FILE TRANSFER PROTOCOL)




----->    A demilitarized zone (DMZ) configuration involves multiple firewalls that add layers of security between the Internet and critical data and business logic.



----->  The main purpose of a DMZ configuration is to protect the business logic and data in the environment from unauthorized access. A typical DMZ configuration includes




1)   An outer firewall between the public Internet and the Web server or servers processing the requests originating on the company Web site.



2) An inner firewall between the Web server and the Application Servers to which it is forwarding requests. Company data also resides behind the inner firewall.




----->  WebSphere Application Server offers many configuration choices for accomplishing this goal.


A)    Works with product security : WebSphere Application Server security protects applications and their components, by enforcing authorization and authentication policies



B)  Avoids critical business data in the DMZ  :   A DMZ configuration protects application logic and data, by creating a buffer between the public Internet Web site and the internal intranet, where Application Servers and the data tier reside.




C)  Supports Network Address Translation (NAT) :A firewall product that runs NAT receives packets for one IP address, and translates the headers of the packet to send the packet to a second IP address. In environments with firewalls employing NAT, avoid configurations involving complex protocols in which IP addresses are embedded in the body of the IP packet, such as Java Remote Method Invocation (RMI) or Internet Inter-Orb Protocol (IIOP). These IP addresses are not translated, making the packet useless.



D)  Avoids the DMZ protocol switch : The Web server sends HTTP requests to Application Servers behind firewalls. It is simplest to open an HTTP port in the firewall to let the requests through. Configurations that require switching to another protocol, such as IIOP, and opening firewall ports corresponding to the protocol, are less desirable. They are often more complex to set up, and the protocol switching overhead can impact performance.



E)  Allows an encrypted link between Web server and Application Server  :Configurations that support encryption of communication between the Web server and application server reduce the risk that attackers are able to obtain secure information by sniffing packets sent between the Web server and Application Server. A performance penalty usually accompanies such encryption.




Definition of Sniffing Packets  :   A Packet Sniffer is a program that can record all network packets that travel past a given network interface, on a given computer, on a network. It can be used to troubleshoot network problems, as well as to extract sensitive information

                             (or)




--->  Packet Sniffer is the act of capturing packets of data flowing across a 
computer network. The software or device used to do this is called a packet sniffer.




----> However, it is also widely used by hackers and crackers to gather information illegally about networks they intend to break into. Using a packet sniffer it is possible to capture data like passwords, IP addresses, protocols being used on the network and other information that will help the attacker 



F)  Avoids a single point of failure  :   A point of failure exists when one process or machine depends on another process or machine. A single point of failure is especially undesirable because if the point fails, the whole system becomes unavailable. When comparing DMZ solutions, a single point of failure refers to a single point of failure between the Web server and Application Server. Various failover configurations can minimize downtime and possibly even prevent a failure. However, these configurations usually require additional hardware and administrative resources.



G)  Minimizes the number of firewall holes  : Configurations that minimize the number of firewall ports are desirable because each additional firewall port leaves the firewall more vulnerable to attackers.