What is the DMZ and how its works ?
The DMZ is the neutral network that resides between the Internet and your organization’s private network. It’s protected with a front-end firewall that limits Internet traffic to certain systems within its zone. On the back end, an additional firewall resides to prevent unauthorized access from the DMZ into the private network.
The DMZ essentially serves as a staging area between an organization’s private network and the Internet.
In order to share a document with a trading partner accurately, an internal program or employee would need to first copy the desired file from their private network onto a server in the DMZ. The partner could then download the file from that server using an approved protocol, such as FTP/FTPS, SFTP, or HTTP/HTTPS.
When trading partners need to share documents with an organization, they would upload the files to a server in the DMZ. Subsequently, an internal program or employee would then scan for the files on the server and pull them into their private network.
How can the DMZ be dangerous and impact security ?
Although many organizations exchange files using the DMZ, staging files in a vulnerable location like the very publicly accessible DMZ makes them susceptible to a variety of dangerous attacks from enemy territory.
The DMZ can have a major impact on security if not protected properly. In the event that a hacker gains entry to a file server in the DMZ, they may be able to access and download sensitive data and trading partner files that were placed there. Even encrypted files can be at risk to high-grade attackers if keys or passwords are compromised. There’s also a strong likelihood that any user credentials, certificates, or whatever else is needed for authentication could be maintained in the DMZ, increasing vulnerability.
Also at risk is the file sharing software itself, particularly if it can be accessed from within the DMZ. For instance, let’s say a malicious attacker gains access to your territory by creating a “back door” user account into an SFTP server through its admin console. This user account could seemingly appear as “legitimate” and allow the hacker the opportunity to steal sensitive data files. Audit logs could also be manipulated if they’re stored in the DMZ, allowing the attacker to erase any trail they were ever there.
Secure your DMZ with GoAnywhere Gateway
GoAnywhere Gateway is an enhanced reverse and forward proxy that provides organizations with an additional layer of security for exchanging sensitive data with trading partners. The reverse proxy handles inbound requests from trading partners, while the forward proxy takes care of outbound file transfer requests from internal employees and systems.
With a DMZ secure gateway, like GoAnywhere Gateway, security concerns are solved by allowing an organization to move file sharing and other public services from the DMZ into the private network without having to open any inbound ports. This approach keeps data files safe in the private network since they no longer need to be staged in the DMZ. It also helps support compliance with PCI DSS, HIPAA, HITECH, SOX, GLBA, and state privacy laws due to the lack of inbound ports needing to be opened into your private network.
GoAnywhere Gateway also supports FTP, FTPS, SFTP, SCP, HTTP, HTTPS, and AS2 file transfer protocols. With Gateway, file sharing services can be kept safe and secure inside your private network, without exposing data to your DMZ.