A DMZ , or demilitarized zone, is a computer host or small network primarily used to separate a network into multiple zones to enhance security. The name is derived from the military term used to define an area between two nations where military actions are prohibited. DMZs are used to securely expose services like HTTP, FTP, SSH, SMTP, etc. to the outside world while keeping them in an internal network.
There are multiple techniques that can be used to isolate network segments, including:
- Physical network separation: A network is configured so that the traffic between two DMZs can only go through a security appliance. In this security appliance, the firewall and IDS/IPS rules are used to inspect the traffic to accept it or deny it from entering the internal network. This technique is the most secure but also the most expensive because it requires many physical devices to separate the network into multiple segments
- Logical network separation: This technique separates traffic between different segments by using a virtual/logical device rather than a physical device.
- Virtual local area network (VLAN): A VLAN works on layer 2, where it interfaces with the same tags in the broadcast domain, whereas every interface on a switch is in a broadcast domain by default. VLAN-capable switches can create multiple logically separated networks by using VLAN tags to keep predefined ports in their own broadcast domain.
- Virtual routing and forwarding: This technique works on layer 3 and enables multiple routing tables to coexist on the same router at the same time, allowing network segmentation using one device.
- Multiprotocol Label Switching (MPLS): MPLS works on layer 3 and routes packets based on labels rather than network addresses stored in routing tables. The labels are used to identify the distant node to which the packets will be forwarded.
- Virtual switch: A virtual switch in virtualization hypervisors can be used to separate one network from the other. It is similar to a physical switch and is used to forward data packets, but is implemented as a software solution, so no additional hardware is needed.
VMware's DMZ Virtualization with VMware Infrastructure white paper states that a virtual DMZ provides an equal amount of security as a physical DMZ, resulting in an equally secure virtualized DMZ network. The use of virtualization technology has increased tremendously over the last several years; virtual machines (VMs) can now substitute for physical servers. The same trend has been observed in DMZs, where physical DMZs are being replaced by virtual DMZs to keep networks properly segmented and secure.
The DMZ virtualization with VMware infrastructure presents three typical virtualized DMZ configurations in use today:
- Partially collapsed DMZ with separate physical trust zones: Each zone is physically separated from the other zones where the hosts are VMs. This DMZ configuration directly resembles the physical DMZ, where the network separation is done on the physical network and not within the virtualization infrastructure.
- Partially collapsed DMZ with virtual separation of trust zones: Different zones are virtually separated, but are physically on the same ESX host. Each DMZ uses a separate virtual switch that ensures the hosts connected to the virtual switch are separated from the hosts in the other zones. The communication between different DMZs still occurs through the physical network connected to the ESX host.
- Fully collapsed DMZ: In this scenario, a whole DMZ is virtualized, including VMs and switches, resulting in traffic destined between different DMZs not leaving the ESX host.
See Infosec Institute's article on Virtual DMZs in the Cloud
A virtual DMZ network is prone to various security weaknesses that must be resolved to maintain a secure and trusting environment. Here are several examples of such weaknesses:
- Hypervisor host compromise: Each VM on an ESX host has its own virtual NIC connected to a virtual switch separate from the internal network. This type of configuration is safe, and traffic cannot traverse between different security zones, so a compromised VM cannot be used to pivot access to an internal VM. But a vulnerable ESX host can be exploited in order to gain access to the host itself, which gives an attacker direct access to the host and every configured VM.
In 2008, Immunity Inc. developed a Cloudburst attack vector that was able to escape the VM jail and compromise the whole host. There were only a few occurrences of such attacks, which are now fixed, but to protect against such attacks, it's important to regularly update the virtualization software to achieve maximum security.
- Virtual NIC configuration: A NIC placed in the wrong virtual switch could allow an attacker access to sensitive information that is normally separated and in a different DMZ. To defend against such misconfiguration, take extra care when setting up a VM. The same mistake can just as easily be made in a physical network by plugging the cables into the wrong physical switches, so this isn't specific to virtual DMZ environments.
- Access to the service console/VMkernel: If a service console or a VMkernel can be accessed from the DMZ network, an attacker can access the password by brute force or a dictionary attack to gain full access to all VMs on the host. When using ESX, the management interface needs to be properly isolated by being assigned to a dedicated vSwitch with at least one pNIC, though it's a good idea to have multiple pNICs for failover. To protect against such attacks, a VM belonging to a DMZ should never be on the same vSwitch as service console or VMkernel, because a compromised VM in a DMZ could be used by an attacker to gain full access to every VM on a host.
- Network-attached storage (NAS): Network-attached storage should be connected to its own vSwitch so it's not accessible from the compromised host in a DMZ network. This further protects the network against attacks on iSCSI/NFS protocols most often used with NAS.
- Data-Link Layer protections: Each virtual switch must be configured to detect and protect against layer 2 attacks, like MAC spoofing, man-in-the-middle attacks and promiscuous mode, which strengthens the overall network security.
- VM resource limitations: Every VM must have a limited amount of assigned resources to properly protect the network against denial of service attacks. An attacker, having gained access to a VM in a DMZ network, can issue CPU-intensive operations, taking up all the host's resources and leaving none for the rest of the VMs. This can easily be prevented by using proper resource limitations, giving each VM a proportional share of available resources. Every vSwitch should also have multiple pNICs to load balance the traffic between them to avoid congestion.
- DMZ on separate vSwitch: A DMZ can be created by either placing the VMs in a separate vSwitch or by using multiple VLANs on the same vSwitch. The first method is the better of the two, because a dedicated vSwitch uses a separate pNIC, thus physically separating the traffic from an internal VLAN and an external VLAN. If a VM from an external VLAN wants to communicate with an internal VM, the traffic needs to go to the physical router over pNICs where a firewall can be used to block or allow traffic.
- Virtual DMZ configuration auditing: Each part of the virtualized DMZ network needs to be properly audited every so often to maintain best security practices.
- Configuration of user roles: Every administrator should belong to a different group according to the principle of least privilege to minimize the effect of misconfiguration.
There are several differences between virtual DMZ security and physical DMZ security. There are many techniques when configuring a logical network separation and each uses virtual switch implementations with security implications that need to be addressed using a secure, virtually segmented DMZ network. By properly resolving security considerations specific to virtual DMZs, it is possible to implement a secure virtual DMZ network to offer the same security as its physical counterpart. At the end of the day, the separation of one network segment from the rest of the network segments is important, and this can be achieved by using either the physical DMZ or the virtual DMZ.
About the author:
Dejan Lukan has an extensive knowledge of Linux/BSD system maintenance as well as security related concepts including system administration, network administration, security auditing, penetration testing, reverse engineering, malware analysis, fuzzing, debugging and antivirus evasion. He is also fluent in more than a dozen programming languages and constantly writes security-related articles for his own website at www.proteansec.com.
Looking to set up a DMZ? One of our experts explains how.
This learning guide reveals DMZ security best practices.