How Does the DMZ Impact Security?

The DMZ and Security


Your Secret Weapon for Data Security

When weapons and military forces have been removed from active duty, this is referred to as “demilitarization.” On the internet, the demilitarized zone, or the DMZ, is a similar situation.

What is the DMZ?

The DMZ is the neutral network that resides between the Internet and your organization’s private network. It’s protected with a front-end firewall that limits Internet traffic to certain systems within its zone. On the back end, an additional firewall resides to prevent unauthorized access from the DMZ into the private network.

How Does the DMZ Work?

The DMZ essentially serves as a staging area between an organization’s private network and the Internet.

In order to share a document with a trading partner accurately, an internal program or employee would need to first copy the desired file from their private network onto a server in the DMZ. The partner could then download the file from that server using an approved protocol, such as FTP/FTPS, SFTP, or HTTP/HTTPS.

When trading partners need to share documents with an organization, they would upload the files to a server in the DMZ. Subsequently, an internal program or employee would then scan for the files on the server and pull them into their private network.

How Can the DMZ be Dangerous and Impact Security?

Although many organizations exchange files using the DMZ, staging files in a vulnerable location like the very publicly accessible DMZ makes them susceptible to a variety of dangerous attacks from enemy territory.

The DMZ can have a major impact on security if not protected properly. In the event that a hacker gains entry to a file server in the DMZ, they may be able to access and download sensitive data and trading partner files that were placed there. Even encrypted files can be at risk to high-grade attackers if keys or passwords are compromised. There’s also a strong likelihood that any user credentials, certificates, or whatever else is needed for authentication could be maintained in the DMZ, increasing vulnerability.

Also at risk is the file sharing software itself, particularly if it can be accessed from within the DMZ. For instance, let’s say a malicious attacker gains access to your territory by creating a “back door” user account into an SFTP server through its admin console. This user account could seemingly appear as “legitimate” and allow the hacker the opportunity to steal sensitive data files. Audit logs could also be manipulated if they’re stored in the DMZ, allowing the attacker to erase any trail they were ever there.

Introducing, GoAnywhere Gateway, a Secure DMZ Gateway

If you need to use the DMZ, but are feeling uncertain, a great option is a DMZ secure gateway, GoAnywhere Gateway.

GoAnywhere Gateway is an enhanced reverse and forward proxy that provides organizations with an additional layer of security for exchanging sensitive data with trading partners. The reverse proxy handles inbound requests from trading partners, while the forward proxy takes care of outbound file transfer requests from internal employees and systems.

With a DMZ secure gateway, like GoAnywhere Gateway, security concerns are solved by allowing an organization to move file sharing and other public services from the DMZ into the private network without having to open any inbound ports. This approach keeps data files safe in the private network since they no longer need to be staged in the DMZ. It also helps support compliance with PCI DSS, HIPAA, HITECH, SOX, GLBA, and state privacy laws due to the lack of inbound ports needing to be opened into your private network.

GoAnywhere Gateway also supports FTP, FTPS, SFTP, SCP, HTTP, HTTPS, and AS2 file transfer protocols. With Gateway, file sharing services can be kept safe and secure inside your private network, without exposing data to your DMZ.

Keep Sensitive Data Out of the DMZ

GoAnywhere Gateway provides an additional layer of security to keep your transfers safe.