Fortify Your DMZ Right Now

At the edge of your enterprise network, whether on-premises or in the cloud, there will be a DMZ. You may have heard about it when speaking to the networking team or you may work on its configuration yourself.

The DMZ is often used without its original context in mind—a demilitarized zone between two opposing forces at war or peace, a place where the parties agree to be off limits to the military, creating a boundary. In the network context, a DMZ is a network segment that also acts as a barrier to protect an organization's internal network from attack by an untrusted network, perhaps the Internet, but often other enterprises. Network DMZs have been in use for at least 30 years, though they might not have been explicitly called DMZs.

The thinking behind putting a server in a DMZ is that if that machine does get compromised, then that compromise can be contained and not spread to the internal network. If you’re thinking this seems all a bit antiquated in the modern world of Zero Trust, you are correct. DMZs are an old idea, yet they persist; we do not see DMZs being retired even with the renewed focus on privacy and security and the need for Zero Trust Architectures. In fact, we see the idea of DMZs expanding into the internal network—this is the idea of micro-segmentation and overlay networks; putting everything in its own DMZ. The concept of micro-segmentation and overlay networks is sound, but the practicality and the complexity are at odds with each other. So many people try micro segmentation and/or overlay networks, only to give up as the complexity level, costs, and risks all see a sharp upward spike. The more recent cycle has consisted of network?DMZs and using tried and tested personal firewalls and virus scanners to protect workstations and computers. Seems we are back to the future.

But the adversaries have had a much easier time of this, reaping the benefits of AI and robot attacks that can work away at systems 24x7, leveraging their way in slowly and stealthily. This is why we see exponential numbers of attacks and privacy breaches. How do we respond to this? Throw our hands in the air and say, “It’s an industry wide issue!” No, we have to fight back and look at the fundamentals.?

How do these attacks happen? The answer is simple: a small vulnerability in the defenses on the network’s attack surface serves as the entry point. This then can then be escalated with social engineering or further exploitation of software vulnerabilities. We have also seen a number of network attacks that are “preauthorized”. This means that, although a service has authentication and only allows authenticated connections, this mechanism can be sidestepped, and access can be gained without ever being authenticated. Other methods use time as an attack vector and slowly try guessing passwords and usernames. Using AI and robots to scan the Internet's attack surface, which includes hundreds of millions of open ports, results in daily headlines of breaches and cyberattacks.

The only solution here is a combination of encryption (kryptonite to AI) and closing all open ports on servers connected to the Internet. That will, of course, take time, so what can you do now??

If you have machines in a DMZ, you know it may get compromised. But what you can do is make sure that no other machines in the DMZ have any open ports, particularly common attack surfaces like SSH and RDP.

To do that, take a look at NoPorts.com by Atsign. NoPorts is a tool that allows access to TCP services like SSH, RDP, and many?if not all) others, and it does so without having ports open on the server at all. Machines in your DMZ are no longer a target.

Once you have done that, you can apply NoPorts and slowly disappear from sight for any attackers, while being freely available to your customers and partners.?

Oh, and you’ll radically reduce both your risk of attack and your security budget. Give us a call to start fighting back and saving some dollars!? Our aim is to help you to become invisible to the bad guys!