A demilitarized zone is also referred to as a screened subnet, or a perimeter network. In this book I will refer to it as a DMZ, as it's a common terminology that has been around for a long time.
While a bastion host separates your internal computers from the Internet by using a single computer, a DMZ isolates your network with a small separate network that is in addition to your internal network and separate from the Internet, as shown in Figure 3.16. A DMZ is sort of a neutral zone where clients from the Internet can access resources such as Web servers, but can't access the internal network. Two common implementation of DMZs, three-homed firewalls and back-to back firewalls, are covered later in this chapter.
Figure 3.16 A sample DMZ configuration.
A DMZ provides an extra layer of defense against attacks, because if security is compromised, hackers will only gain access to your DMZ, not your internal network. For example, you can place your Web servers, DNS servers, and e-mail servers in the DMZ and allow both the internal and external clients access to these servers.
As I mentioned previously, there are a couple of common ways that you can incorporate a DMZ in your network configuration. The first implementation is known as a three-homed firewall configuration, and the second way is known as a back-to-back firewall configuration. Both of these implementations offer better security than a bastion host. There are some other possible scenarios, but we will limit our discussions to the two scenarios I just mentioned.
Three-Homed Firewall Configuration
In a three-homed firewall configuration, you install three network adapters in your ISA Server computer that will act as a firewall. Each network card will route traffic to one of these three networks.
Network adapter 1 is connected to the internal network.
Network adapter 2 is connected to the DMZ network.
Network adapter 3 is connected to the Internet.
The sample DMZ configuration in Figure 3.16 shows a three-homed firewall configuration. This configuration provides better security than the bastion host configuration, and you have the added benefit of managing both the DMZ and the internal network from one location. However, one disadvantage of this configuration is that if hackers are able to penetrate your firewall, they will have access to both the DMZ and the internal network.
When working with ISA Server, use IP packet filtering, application filtering, and intrusion detection filtering to secure inbound traffic. Use site and content rules and protocol rules to control outbound traffic.
Back-to-Back Firewall Configuration
A three-homed configuration is a simpler way to add a DMZ to your network, but is not as secure as a back-to-back configuration. A back-to-back firewall configuration is shown in Figure 3.17. In this scenario, two ISA Server computers are used as back-to-back firewalls with a DMZ network sandwiched in between.
Figure 3.17 A back-to-back firewall configuration.
As you can see, one ISA Server (the external firewall) is connected to the Internet and the DMZ network, whereas the other ISA server (the internal firewall) is connected to your internal network and the DMZ network. With this approach, a potential hacker would need to pass through two ISA Server computers to gain access to your internal network.
Another advantage of a back-to-back configuration is that you can better manage your security by configuring rules that are more restrictive, compared to the three-homed configuration. One disadvantage of back-to-back configuration is that your enterprise security picture can get more complicated, as now you have to manage two firewalls.