August 6, 2020

DMZ (Demilitarized Zone) – WST

Much like the contested area that separates two foreign powers that do not trust each other, a network DMZ is a place where you stick things to don’t fully trust – like public facing servers, or even your service providers.  Yes, you have properly vetted them as part of your vendor management program, but depending on the relationship, you do not necessarily trust them with your institution’s network or all of your data.  For example, why would you want someone at your ATM service provider to have full access to your network and possibly your mortgage loan files?

A firewall is used for more than just web filtering and protecting your organization from threat actors on the Internet, it is also there to help protect you from threat actors that may be lurking on networks with which you have a better trust relationship.  Firewalls protect your internal network from high risks associated with any other networks, not just the Internet.  And, that is usually where we find the DMZ: on the firewall.

Typically, managed service providers (MSPs) like your core provider or the Federal Reserve for example, will ship you a router and some instructions on where to place it on your network, and what ports to open on your firewall.  No matter what these instructions say that device should go in the DMZ.  Sometimes these instructions are more like guidance than a bullet point how-to.  But this is where the planning and your responsibilities start, where you need to understand what interfaces you will use, source and destination addresses, and policies that need to be configured to restrict communication to only allow specific data flow between specific endpoints.

Most of the time you already have all the hardware you need to make this happen – The only thing you might be missing is additional physical interfaces on your firewall.  Out of interfaces?  Fix it by purchasing an inexpensive unmanaged switch to hang off your firewall’s DMZ interface and plug in multiple MSP routers.

To further support this design, FFIEC guidelines sum this up in two simple statements:

  • Financial institutions should use firewalls to enforce policies regarding acceptable traffic and to screen the internal network from directly receiving external traffic.
  • The DMZ is situated between the outside and the internal network and prevents direct access between the two.

In conclusion, even though you trust the vendors that directly connect to your network, no amount of due diligence is going to protect you from a configuration error on their part, or a threat actor or ransomware on their network.  Only physical and logical security controls can do that.

If you feel that your firewall is configured improperly, or you just have a question, reach out to us.  We are here to help.

Past Weekly Security Tips – WST

2020-08-07T14:52:47+00:00
Go to Top