Over a decade ago a DMZ was considered an effective architecture for handling network load and attacks. Since then the DMZ has changed from a robust line of defense to a critical infrastructure component. An attack on the DMZ will immediately impact the internal network. It’s time to rethink the DMZ architecture.
The DMZ Soft Spot
Organizations use the DMZ approach to control access to their on-premise network. In this traditional approach the internal network is divided into at least two distinct zones: one open to the external world and another employing controlled and secure access – a security Demilitarized Zone, or a DMZ.
But here is the DMZ soft spot: organizations frequently place business-critical infrastructure within the DMZ which means that attackers who were able to enter the DMZ can inflict substantial damage to the overall network. A more recent approach is to implement a secure DMZ below the traditional DMZ, which creates an additional security layer. And yet – we find that when a website is attacked, all DMZ layers frequently fail, along with the on-premise network, because the infrastructure is shared by both.
The traditional DMZ carries numerous vulnerabilities and weaknesses, for example:
- Inability to mitigate DDoS – the DMZ is completely vulnerable to DDoS. It will collapse upon a DDoS attack and with it, the overall defense infrastructure. The massive amount of log entries generated by security systems that reside in the DMZ such as IPS, IDS and WAF, result in loss of focus and inability to identify critical information
- Intrusion to the internal network – attackers may exploit DMZ vulnerabilities to access the internal network, because the DMZ is, eventually, connected to the LAN.
- Information leakage – the communication between the user and the network is bi-directional. This makes it difficult to control outgoing data. For example – a bot or Trojan may reside inside the network and silently send out data through the DMZ
The DMZ approach was meant to be a business enabler. Its role was to ensure that customers can keep performing business transactions, no matter what. It is no longer serving its role.
So how do you properly secure and manage sensitive components residing within your DMZ? A more effective approach is a Cloud DMZ: a functional replica of the original website which serves a significant portion of the requests to the original site and creates an additional security layer.
The Benefits of a Cloud-DMZ:
- Unlimitedly scalable to withstand DDoS attacks: the cloud-DMZ approach leverages the elasticity of the cloud to scale and withstand virtually unlimited bandwidth.
- Simplifies security policy enforcement – handling requests in the cloud allows organizations to adhere to their security policy away from the actual DMZ, serving only clean traffic and eliminating risk to the organization.
- Globally effective: by leveraging the public cloud the DMZ is globally scalable and effective, as if it is was residing on premise.
- Distances the attack: by locating a DMZ in the cloud organizations can distance the attack from the business and defuse the threat.
- Consolidates Website layers: a cloud-DMZ consolidates the CMS, database, web server and web application layers into a single HTTP layer. A layer may represent itself in one location, then minutes later in another location, making it virtually impossible for hackers to actually penetrate the original website. A website implementing a cloud-DMZ can sense an attack in advance and create a decoy location to protect itself against hackers.
- Focuses the security operation: a cloud DMZ architecture limits access so that only legitimate transactions can access the DMZ. This dramatically lowers the number of alerts security teams are exposed to, and focuses the security efforts on a handful of high priority alerts.
The DMZ can no longer serve as a reliable line of defense. It is not scalable nor secure to handle today’s attack profiles and does not support the business. Organizations must re-architect their DMZ in order serve customers under any type of attack and load. Security teams can now leverage the power of the cloud to improve their security. A cloud-DMZ is an example for such implementation which produces clean traffic in a manageable way. I believe this is the future of security.
Do you agree with my statement?