How Does a Firewall Establish a DMZ Network?
Barracuda Networks offers firewall appliances to create DMZs and protect servers and their residing apps from rogue devices and operators, nation-state actors, hackers and ransomware cybercrime organizations. Many Wi-Fi routers even come with DMZ configurations when an internal server or machine can be exposed to the internet.
The key is that the DMZ sits in the middle, segmenting the internet and firewall from the internal network and organizational operations.
“Email servers are typically put on the DMZ, so they can receive inbound emails, they can send outbound emails. You know that there’s an exposure,” says Sinan Eren, vice president of zero-trust security at Barracuda. “At the same time, by separating those servers from the internal servers, this is a contaminated area that I need to secure; this internal service area, where all the internal applications are, it’s more secure by design.”
That segmentation also avoids having employee and even customer data located alongside an organization’s “crown jewels” and production environment, Richberg says.
How Do DMZ Networks Ensure the Integrity of VPN Service?
When state and local governments let a VPN connect straight into their network — especially without a firewall performing full content inspection — they fall into the trap of making assumptions about the security of that endpoint, Richberg says. By contrast, hosting the VPN service in the DMZ serves as another check on the integrity of network activity.
When it comes to establishing a DMZ, stateless and stateful firewalls looking at connections and context won’t cut it. State and local governments need a next-generation firewall examining content within the traffic stream.
Many organizations were “burned badly” in the first year that employees worked from home, Richberg says. They discovered that remote environments were nowhere near as secure as the traditional workplace, and home offices became access points for malware.
“You really need to be using some kind of next-gen firewall that can do full-packet inspection, and it’s got to be a reasonably powerful one because otherwise you slow production use,” Richberg says.
Weak firewalls introduce seconds of latency between click and response, he adds.