Posted by: James Murray
DMZ design, Modern Network Architecture
We are all familiar with core business technologies. These are the technologies that keep the business running. Each department within a business will have a database of information that maintains the competitive advantage of the business. These are the core business systems. If these systems fail the competitive advantage of the company may be lost. Sometimes when these systems are compromised the end result could be bankruptcy. Edge systems are
Modern network architecture defines edge systems as independent systems that sit on the outside periphery or edge of the network. These systems do not run on the physical boxes of the core business systems. These systems block all packets except known and approved packets, from entering the subnets where the core business systems function. Edge system logic blocks traffic and assumes all incoming traffic is dangerous unless proven otherwise. The data packet must prove it is safe before it can pass through an edge system. Typically we think of edge systems protecting from spam, system overloads, sneaky viruses attached to an email or outright attacks on the core company infrastructure.
Some edge system examples:
- Firewalls and routers are among the first security barriers preventing access to production network infrastructure.
- Load balancing systems are an application system that distributes the computing load across multiple mirrored servers.
- Email forwarding may utilize a hub or transport server to manage and approve traffic before the mail is forwarded to the actual mail store server
An edge server will act as an additional check of the data packet before that packet is passed on to the core business systems of the organization.
An edge system can be very simple or very complex. The simplest systems may only perform a network address translation (NAT). A more complex system would move safe packets through multiple subnets, signature validation and other integrity checks, Scanning encrypted data packets and even replacing the entire protocol stack, then replacing with a new protocol before passing the packet to the next system. These complex edge systems occur just before entry or inside a DMZ. A DMZ, named after the De-Militarized Zones used during the cold war, is a physical or logical sub-network that contains and exposes an organization’s external services to an untrusted network.
DMZ’s come in many shapes and sizes. The classic DMZ manages at least 3 subnets. (Trusted, untrusted and DMZ). The trick for the packet is moving from one rail to the next. This move often requires a NAT to move from one subnet to the other. Before the NAT can happen, the packet needs to be authenticated and approved. Modern DMZ’s used multiple systems for packet authentication. Using a Public Key Infrastructure (PKI) for authentication the DMZ will utilize multiple levels of encryption and authentication. These encryption types include signing, authentication, data encryption and tunneling protocols.
When a packet comes into the DMZ the packet it is only accepted if it has been approved by a third party source. A simple approval occurs when the Edge System confirms the packet by reading the “signature”. The signature can only be read by decrypting the signature using the keys managed by the PKI system.
Edge systems protect core data within the business system. The edge system uses a traditional DMZ infrastructure. Then the edge system augments the DMZ infrastructure through various security techniques. To reduce the complexity of managing the routing systems within the DMZ, other tools such as PKI, packet signing, tunneling, authentication, data encryption and gateway technologies are used. An edge system takes the old DMZ infrastructure and adds a complex series of security systems that improve the reliability and security of the core business systems.