Skip to main content

Top 10 Network Security Mistakes - #10: Incorrectly Deployed DMZ Networks

July 17, 2013

The continued expansion of the IT Security field has resulted in a large number of otherwise unsuspecting technologists being repurposed into Security SMEs. Most of us welcome the growth of the industry, but rapid build-out can result in some loss of tribal knowledge transfer as we all scramble to fill the increasing needs around us. 

While most of these well-intentioned IT professionals are quite capable of learning new interfaces and technologies, certain aspects of network security come from experience and not from a book. The irony that I'll now attempt to capture some of this wisdom in blog format is not lost on me. 

So, without further ado, I present this ten-part series: Top 10 Network Security Mistakes

Many security breaches are not the result of criminal masterminds mercilessly overwhelming their prey, but rather a lack of basic security hygiene on the part of the prey. Certainly, there are occasional high-profile exploits - some of which rival any good Hollywood hacker portrayal - but the vast majority are much less exciting. 

Sorry adrenaline junkies, I will be focusing on the latter. 

I have assembled a list of common mistakes I've seen many times, in many places. Hopefully, with this list, you can learn from other's mistakes and make your network a bit more secure and less enticing to miscreants looking for low-hanging fruit. 

No system is 100% secure, but anything is better than 100% vulnerable, right? 

Let's get started!

#10 : Incorrectly Deployed DMZ Networks

Demilitarized Zones (DMZs) are intended to serve as bomb-dampening containers for hosts that must interact with the Internet.  It is the least secure place on your network with the possible exception of the outside interface of your firewall (you do have a firewall, right?), which I always imagined looking a lot like a scene from The Matrix

Sending a host into the DMZ is a bit like leaving your wallet in an unattended bucket of candy outside your front door on Halloween.  It will be found, gone through, photographed, tweeted, IRC’d and torn apart in case there is any information that might lead to a more valuable target.  It will be associated with your house, and may invite further scrutiny from unsavory characters, like those mean high school kids from the next town over with the abundant supply of toilet paper. (Man, those kids are jerks. But I digress.)

Even if you were to find your wallet again, you'd assume it was violated and that any information of value inside is gone or compromised. It would cease to be your wallet and just be a wallet. But hey, at least it was outside your house, right? Whew!  Maybe they’ll forget where you live… 

Now, let’s crank up the worse-case-scenario-o-meter a bit, shall we?

  • What if you left your front door unlocked?
  • What if you left the door open, and the candy bucket in your living room, in plain view?
  • What if you were out for the night?
  • What if you left your jewelry safe open because, “Hey, the house is always locked, right?” 

Okay, we’re getting a bit hyperbolic, but you get the point. 

The wallet would be the least of your concerns, right? Your whole house is in jeopardy now. Your handmade Scandinavian kissing tchotchke collection from that place up north might be lost forever! 

Whatever will you do?!

With some basic precautions, you can limit the damage that wallet can inflict on you and/or your house as a whole. If you minimize the information in your wallet, keep your front door locked, leave your lights on, watch the activity outside your door and only open it for people you know (and maybe to refill the candy bucket so those kids don't TP the house again this year), a dropped wallet just becomes another piece of low-value material outside your castle walls.

Restated in non-Halloween-analogy format:

  • Never, EVER place hosts that must interact with the Internet on your internal network.
  • Place all your Internet-facing hosts in a tightly controlled network segment like a DMZ.
  • Build restrictive, granular firewall policies to control traffic coming into and leaving the DMZ.
  • Monitor and log all activity going to and coming from the DMZ.
  • Do not store sensitive information such as PII, security keys, passwords or other valuable data on hosts in the DMZ.

That’s it for this installment. Remember: Apples may make the dentist happy, but dentists don’t TP houses.

Additional Posts

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

February 06, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 3)

In parts one and two of this blog series, I provided an overview of SSL web inspection, and dove deeper into how SSL inspection solutions work and met...

See Details

January 29, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 2)

Hardware will vary between vendors and even different models within a vendor’s catalog. Some models/vendors will offload complex CPU tasks (decryption...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

February 26, 2013

Continuous Monitoring and the Federal Government

“Continuous monitoring” is the latest buzz word being used throughout the federal government. And depending on with whom you talk or what you read, th...

See Details

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.