DMZ是英文“Demilitarized Zone”的缩写,它是为了解决安装防火墙后外部网络不能访问内部网络服务器的问题,而设立的一个非安全系统与安全系统之间的缓冲区,这个缓冲区位于企业内部网络和外部网络之间的小网络区域内,在这个小网络区域内可以放置一些必须公开的服务器设施,如企业Web服务器、FTP服务器和论坛等,另一方面,通过这样一个DMZ区域,更加有效地保护了内部网络,因为这种网络部署,比起一般的防火墙方案,对攻击者来说又多了一道关卡。自从防火墙出现以来,DMZ区已经是网络设计的标准组建。
什么样的服务需要放到DMZ区?
任何需要用户从外网访问的服务都可以放到DMZ区,常见的服务有:Web servers、Mail servers、FTP servers、VoIP servers....
As a general rule, a DMZ server should never contain any valuable data, so even if someone managed to break into a server in the DMZ, the damage would be minor.
外网、DMZ区、内网访问的控制策略
摘自Stackoverflow,To summarize - there are three "areas" - the big, bad outside world, your pure and virginal inside world, and the well known, trusted, safe DMZ.
The rules are:
- Connections from outside can only get to hosts in the DMZ, and on specific ports (80, 443, etc);
- Connections from the outside to the inside are blocked absolutely;
- Connections from the inside to either the DMZ or the outside are fine and dandy;
- Only hosts in the DMZ may establish connections to the inside, and again, only on well known and permitted ports.
DMZ区两种主流的设计架构:
单防火墙:
双防火墙: