Monday, June 23, 2014
DMZ Gateway 101
The DMZ Gateway is a solution for protecting your internal network. Find out more about how it works and why it’s needed.
by Eric Hall, Director of Sales Engineering
Secure File Transfer
NOTE: DMZ Gateway can be used in conjunction with both EFT and Mail Express. For simplicity, I’ll typically refer to the internal server as EFT, with the understanding that it could also be Mail Express.
The most secure system is one to which no person or system has access. However, such a system is also basically useless. Imagine a vault. Whatever is kept in a vault is locked down completely, only a few with the proper code can gain access. This is a secure system but with minimal availability. In an IT environment where collaboration is key, this model is ineffective. Thus the CIA Triad exists in the Information Security world, specifying that for a system to be secure, you must ensure not only confidentiality and integrity but also availability.
From a security standpoint, the Internet is a dark and scary place, the worst of all neighborhoods, and it is best avoided whenever possible. The problem is that all your business partners, clients, and vendors live there, which means you can’t really avoid it. We all know that, so we put up buffer network zones between our sensitive internal workings and the cold and dangerous Internet. We call these zones the DMZ, the Edge, the Perimeter, and so on. While the Internet is considered a hostile network, the DMZ is generally only considered an untrusted network. It is part of the network you oversee and manage, but its proximity to the Internet and even slight openness to connections from that hostile network means it cannot be trusted to uphold the same integrity and security as the internal network segments. If you house your secrets in the DMZ, even temporarily, then they cannot be trusted to be safe.
With this in mind, the initial and ongoing configuration and utilization of a DMZ is a complicated task, with large numbers of decisions and postures that must be continually determined. Numerous compromises are proposed and must be evaluated and considered before accepting or rejecting them. Like the CIA Triad, administrators must balance security with accessibility.
Do you want only authenticated and authorized users to have access, but you don’t want to expose your authentication and authorization sources?
Do you want to white list incoming IP addresses? Well, with the advent of laptops and mobile devices, connecting clients may be coming from nearly any network in the world.
Do you want to examine all communications, but you don’t want anyone to see it? Well, if you can see it, what’s to prevent a clever or lucky hacker from peering over your shoulder?
What if you decide to encrypt your data? Then you have to decrypt it to examine it without much assurance that no one else is having a look. And to decrypt it, it means you’re going to have to store private keys and the passphrases to use them out there in the untrusted DMZ where they’re much more vulnerable to attack.
What if you want to audit everything that happens in the DMZ? That means you’re going to have to house and expose database servers out there where they are, once more, far more vulnerable to attack.
It never really ends.
If you are ever dealing with payment card data, it becomes far worse. Not only would the system in the DMZ have to be PCI DSS compliant now, but every system around it must be compliant as well.
That leaves you with basically three choices:
- Build a whole new dedicated network and virtualization infrastructure from scratch, separate from the existing DMZ.
- Figure out some way to make all other systems in the DMZ compliant.
- Give up and close up shop.
That last one isn’t really an option, and the first two are extremely painful and expensive—and that’s before you get around to suffering through a PCI audit!
That’s where Globalscape’s DMZ Gateway comes in. The DMZ Gateway is the Internet-facing guardian of internal Globalscape services. The DMZ Gateway enables a multi-tier architecture that allows EFT to be placed in the internal network, safe and cozy and warm, with trusted access to sensitive backend resources, and those resources can have access right back. DMZ Gateway enables free exchange of information within your internal network and integration with your backend systems and people. Suddenly, EFT can effectively access and be accessed by authentication sources, storage sources, databases, intranet web servers, and so on. Now integration is possible with monitoring systems, message queues, enterprise job management solutions, mainframes, app servers, SAP, BizTalk, Exchange, AD, and so much more.
A whole new world of opportunity opens up, rapidly and legitimately increasing the value of your investments. EFT, aided by DMZ Gateway, redirects the energy of your highly skilled and highly paid personnel away from handling a mess of file transfer scripts at dozens or even thousands of one-off endpoints and allows them to focus on what those systems do well. And let EFT much more efficiently handle those file transfer tasks for you in a centralized manner that is more easily visible and auditable as well as more reliable and more secure.