The DMZ is an isolated network placed as a buffer area between a company's Trusted Network and the Non-trusted Network. The Internet is always defined as untrusted. By design, the DMZ prevents outside users from gaining direct access to the Trusted Network. The following figure shows a generic DMZ:
Most DMZs are configured via a set of rules that are controlled by the Policies and then implemented via the Procedures for your organization. One of the most common rules is that a single port number (like 80) cannot traverse the DMZ. So if you are attempting to access an application on a DMZ via HTTP on port 80, then that port cannot terminate into the trusted network via the DMZ. This is what the DMZ does; it keeps untrusted traffic from entering the Trusted Network. It is the job of the DMZ to filter the traffic and limit access to the Trusted Network via filtering and authentication, and even to completely block traffic if needed. Here are a few examples of what the DMZ can do:
Block port scans of your Trusted Network
Block access to the Trusted Network via a single TCP port
Block Denial of Service Attacks (DoS) from your trusted network
Scan email messages for virus, content, and size
Block passive eavesdropping/packet sniffing
So, how does SSL VPN fit into corporate network infrastructure? Below are a couple of examples of SSL VPN access.
SSL VPN access to selected devices via the use of an SSL VPN hub (access from the Internet)
SSL VPN access to a special network that uses an SSP VPN hub sitting between the trusted network and the special network
One of the key security elements of a DMZ is the ability to terminate the IP connection at various points in the DMZ and the trusted network. The example below shows a client connection on the Internet (untrusted) to an SSL VPN hub on a trusted network.
The traffic is routed into the DMZ, and then is terminated at the router. The IP address is now translated to a DMZ IP address, for example 10.10.10.10. The DMZ can then provide some authentication and allow the traffic to route to the trusted side of the DMZ. At this point the IP address can be translated to another IP address, like 192.168.10.12. The packets are then routed to the SSL VPN device (hub).
The SSL VPN will execute additional checks on the traffic. If all tests are passed then, based on a set of rules and authentication, the traffic could be routed to the HTTP messaging server. In this example you could have a CxO (CEO, CIO, CTO, etc.) on vacation, checking out the Lion King playing on 42nd street. Before sitting down, the CxOwalks into the Internet Café next door and checks his or her email. Now the CxO can feel secure that Hacker Bob will not be able to read those important corporate emails.
Network architectures used to support SSL VPN access from the Internet will be discussed in detail in Chapter 4.
Many large enterprise companies will have private networks. These private networks can span not only just their home country, but can also span the globe. In many cases, these private networks will interconnect via several Internet Service Providers (ISPs). Also some companies will not only have a private network at their local office, but will also have a Point of Presence (POP) to the Internet. This can add additional challenges to keeping the private network secure; each POP is an opportunity for Hacker Bob to enter the network. Additionally, not all corporate employees and contractors are necessarily honest; some may also pose a threat to internal resources. As a result, large companies often regard their trusted private network as untrusted. The risk is that there can be unauthorized access into the private network at several points—not only from the POPs, but also from the ISP. The example below shows where SSL and/or SSL VPNs can be used to provide secure access where the network is NOT trusted:
In the above example, the end user is hosted on the corporate trusted network. The end user may want to access a web page, messaging, or even their file server. Traffic will originate at the end user's computer and will be routed via the trusted network basic address, for example, 192.168.10.22. Packets are terminated in the SSL VPN hub; at this point the data is then routed to each service. Now, a worldwide organization can determine that its data transfers are secure, and not readable by bad old Hacker Bob.