DMZ networks in a nutshell
It’s pretty much common to have enterprise networks that require some time to expose services on the Internet, not only to expose them but to do it securely. In terms of networks and cybersecurity, you’ll hear a lot about DMZ networks and firewall components working in conjunction, so, this combo goes side by side to achieve that goal.
DMZ networks are a type of network that allows you to monitor the internal network traffic centrally. The key component of this approach is the presence of a Firewall implementation between a LAN network and the Internet.
The main goal of a DMZ is to deploy services to the internet from your internal network, from an enterprise point of view most of the time, however, this is not limited at all.
A DMZ network with a Firewall will divide the correspondent network traffic to a specific LAN network or you can have a DMZ based on the outbound/inbound rules present, as a summary this is the most simple configuration for both components.
Still, it can be scenarios where you can find multiple firewalls, two or more at least, where you have a “frontend” firewall responsible for the network management between the internet and the DMZ itself, and a backend firewall that goes from the filtered network traffic to whatever it’s inside the internal LAN.
Sadly, this type of approach can present some inconveniences too, mostly on performance, practical bottlenecks for big traffic peaks, and device vulnerabilities and patching.
To succeed in terms of DMZ you will need to set a strategy in terms of usage, security updates, and load balancing for a proper response, and the thing is that DMZ networks aren’t meant for everything, or at least are not intended for components like web servers, email servers, and related, some traffic monitoring tools are just the best software pieces to fit in there.
However, you can apply it to any software piece that requires an internet connection to function. Basically, in terms of security concerns, a great mechanism to detect some intrusion is generally known as a Honeypot
Let’s dig in a little bit more.
Honeypots in DMZ networks
If you are not familiar with Honeypots, in simple words they are just systems intended to distract attackers with a goal in mind to gain valuable time to trigger alarms and evaluate failures and threat severity.
With this, you can plan your security inside your infrastructure, because it will tell you about how you being compromised and what are ways hackers are using against your system, you will have material to delimitate and investigate the activities performed in the system and apply any type of machines available to adapt the attack ways.
From an attacker's POV, honeypots are typically known as easy targets, sometimes they can be seen as the vulnerable part of the network and of course, this is intended to be like that. In an overall, the more convincing they are at that, the better they work.
So, how they’re related?
Honeypots exist in DMZ strategies, they can be installed in the LAN network, inside the DMZ itself, or in the Internet itself but this is not recommended.
If you plan to add the Honeypot inside the LAN, well, I’m afraid that can be too late because the attack already passed certain security mechanisms before getting into the Honeypot. The correct (or recommended) place for a Honeypot, is inside a DMZ it can bring certain credibility to the system, besides being tempting and reasonable.
The practical concern for Honeypots is that is a conventional resource, it’s like another server, with standard to considerable security settings, but, it has to be very realistic to catch the attacker’s attention.
I recommend this article, it has more in-depth explanations and it has a practical section too, implement your own and wait for the attacks.
