Security

What is DMZ Networking & How Do They Help State & Local Governments?

The perimeter buffers are being replaced by zero-trust products and solutions, but not universally.

Dave Nyczepir is a Senior Editor for StateTech.

Some state and local governments never established demilitarized zone networks because they didn’t consider home offices a threat when they shifted to remote work after the COVID-19 outbreak, security experts say.

What is a DMZ network? While the term might be unfamiliar military jargon in a networking context, DMZs are a standard approach to the segmentation of an organization’s most valuable servers and applications requiring internet access.

State and local governments pivoting to remote work in 2020 typically ran employees on public internet through a VPN brokering access to internal files, databases or virtual desktops. Though organizations are best served to have a VPN connection running through a DMZ, a buffering perimeter subnetwork, rather than directly into internal assets, that didn’t always play out.

“I am having conversations with state and local governments who are working off their technical debt,” says Jim Richberg, public sector CISO and vice president of information security at Fortinet. “A lot of them really don’t have the kind of horsepower on things like a firewall that would allow them to do this.”

Click the banner below to receive curated content by becoming an Insider.

How Does a Firewall Establish a DMZ Network?

Barracuda Networks offers firewall appliances to create DMZs and protect servers and their residing apps from rogue devices and operators, nation-state actors, hackers and ransomware cybercrime organizations. Many Wi-Fi routers even come with DMZ configurations when an internal server or machine can be exposed to the internet.

The key is that the DMZ sits in the middle, segmenting the internet and firewall from the internal network and organizational operations.

“Email servers are typically put on the DMZ, so they can receive inbound emails, they can send outbound emails. You know that there’s an exposure,” says Sinan Eren, vice president of zero-trust security at Barracuda. “At the same time, by separating those servers from the internal servers, this is a contaminated area that I need to secure; this internal service area, where all the internal applications are, it’s more secure by design.”

That segmentation also avoids having employee and even customer data located alongside an organization’s “crown jewels” and production environment, Richberg says.

EXAMINE: How states and localities are successfully using identity and access management.

How Do DMZ Networks Ensure the Integrity of VPN Service?

When state and local governments let a VPN connect straight into their network — especially without a firewall performing full content inspection — they fall into the trap of making assumptions about the security of that endpoint, Richberg says. By contrast, hosting the VPN service in the DMZ serves as another check on the integrity of network activity.

When it comes to establishing a DMZ, stateless and stateful firewalls looking at connections and context won’t cut it. State and local governments need a next-generation firewall examining content within the traffic stream.

Many organizations were “burned badly” in the first year that employees worked from home, Richberg says. They discovered that remote environments were nowhere near as secure as the traditional workplace, and home offices became access points for malware.

“You really need to be using some kind of next-gen firewall that can do full-packet inspection, and it’s got to be a reasonably powerful one because otherwise you slow production use,” Richberg says.

Weak firewalls introduce seconds of latency between click and response, he adds.

You really need to be using some kind of next-gen firewall that can do full-packet inspection.”

Jim Richberg Public Sector CISO and Vice President of Information Security, Fortinet

What Advantages Do DMZ Networks Offer State and Local Government?

In addition to helping state and local governments secure remote work and extend digital services, DMZs can host access to operational technology and Internet of Things devices. Such technologies aren’t secure by design and lack upgradeable capabilities, but DMZs allow organizations to work around them, Richberg says.

DMZs also can act as a landing point for servers and apps that state and local governments want to migrate, either on-premises or to the cloud, without having to stand up a separate security architecture.

Last, DMZs assist state and local governments with compliance because they allow for audit logs detailing who accessed personally identifiable information inside servers, particularly citizen data.

For these reasons, Richberg says he expects state and local governments will increasingly invest in next-generation firewalls to create DMZs.

“This gives me two things that somebody’s got to jump through if they’re going to get into the organization, so I have a better chance that they won’t make it or that I will see them if they try,” he says. “It’s just basic blocking and tackling.”

LEARN ABOUT: How Zero-trust security aids state and local governments.

How Do DMZ Networks Relate to Zero Trust?

The segmentation DMZs provide by protecting an organization’s internal assets is also a goal of a zero-trust security strategy. In fact, more state and local governments are transitioning from DMZs to zero-trust access patterns, Eren says.

Rather than placing internal servers in a DMZ, organizations are putting them behind zero-trust products and solutions, which then grant remote employees access to apps completely hidden from the internet. Vendors including Barracuda serve as two-way brokers responsible for authenticating and authorizing employees as well as validating applications they connect.

“Instead of running your own DMZ, what you did is you lifted and shifted that DMZ to the vendor’s infrastructure,” Eren says. “Therefore, you don’t need to maintain a DMZ; that’s how zero trust works.”

The shift to zero-trust security architectures won’t happen overnight, but it is a priority of the federal government that state and local governments can incentivize and subsidize.

Zero-trust adoption is accelerating among educational institutions, and states and localities should follow if they have the IT budgets to modernize legacy firewalls with newer technologies, Eren says.

EXPLORE: 3 best practices for state agencies to strengthen identity protection.

What Is the Future of DMZ Networks for State and Local Agencies?

State and local governments continue to rely on firewalls protecting DMZs in the meantime, in keeping with the Lindy effect. The Lindy effect is a theorized phenomenon in which the future life expectancy of a technology or idea is proportional to its current age, and DMZs as a concept have been around for several decades, Eren says.

The acceleration of zero-trust adoption could conceivably cut into the lifespan of DMZs, but there’s a catch.

“Even if you do provide zero-trust access through most of your internal applications for your teleworking employees, there will still be a DMZ for a subset of applications,” Eren says. “It will never go away, but its exposure — or the number of applications we stuff into a DMZ — is going to shrink over time.”

Given that DMZs aren’t going anywhere anytime soon, state and local governments should consider forming more than one to host critical servers that need to be internet-facing, Eren says.

Web, email and storage servers don’t need to reside in the same DMZ, and virtual LANs can assign multiple DMZs, limiting the ability of bad actors to move laterally across servers in the event of a breach.

“Separating them out into multiple DMZs would be a very good rule of thumb when you’re designing the DMZs,” Eren says. “That hasn’t been done enough.”

KanawatTH/Getty Images