Common items that are placed in a DMZ are public-facing servers. For example, if an organization maintains their website on a server, that web server could be placed in the DMZ. In this way, if the machine is ever compromised, the remainder of the company's network is not in danger
When connecting a LAN to the Internet, a router will provide the physical connection to the public Internet, and a firewall will provide a gateway to prevent malicious data from entering the network. One port on the firewall will often connect to the corporate network using an internal address on that network, allowing traffic being sent out by individuals within the company to reach the Internet. Another port will usually be configured with a public address which will allow Internet traffic to reach the organization. These two ports can allow inbound and outbound data to reach an organization on the Internet.
In creating a DMZ, an organization adds another network segment or subnet that is still part of the organization, but not connected directly to the corporate network. Adding a DMZ will make use of a third interface port on the firewall. This configuration allows the firewall to exchange data with both the corporate network and the DMZ network using Network Address Translation (NAT).
Network Address Translation allows data received on a specific port or interface to be routed to a specified network. For example, when someone visits an organization's web site, the browser is sent to the server where the site lives. If this organization keeps its web server in a DMZ, the firewall will know that all traffic sent to the IP address associated with their web site should be passed to the server sitting in the DMZ network rather than directly into the organization's internal network.
Hiç yorum yok:
Yorum Gönder