If you’ve watched a science-fiction movie about space travel, then you’ve likely seen some version of a scene in which an astronaut reenters their ship from the outside abyss. Because the ship exists as a haven from the dangerous environment of empty space, the astronaut cannot simply open the door and stroll directly into the cockpit. To do so would compromise the human-compatible environment of the Millennium Falcon or USS Enterprise.
Instead, the astronaut first enters an outside chamber, which is sealed off from the main vessel. After the doors reseal securely behind them, pressure returns to normal, the air is filled with oxygen, and the astronaut can open the doors to rejoin Spock or Han Solo.
No doubt that your organization is also exploring frontiers and executing daring missions. However, your light-speed travel most likely happens across internet connections rather than galaxies. Even so, data files may enter and exit your internal system in a similar way to an astronaut and their ship: through a DMZ.
What does a DMZ do?
In today’s business world, exchanging files with customers and trading partners is essential; this makes data security an even more pressing challenge. A DMZ (Demilitarized Zone) functions somewhat like the chamber that allows space travelers to enter and reenter the ship without compromising its safety. It’s the neutral network that resides between your company’s private network and the Internet, containing asteroids, aliens, and other dangers.
How does a DMZ work?
An organization’s DMZ typically contains web servers, FTPS, SFTP, and HTTPS servers, as well as other services it wants to make available to customers and trading partners. To serve the organization’s purpose, these services need access to the files that will be shared with partners.
Like the double airlocks of a spaceship’s chamber, the DMZ limits files on both ends. The DMZ is provisioned with a front-end firewall that limits inbound Internet traffic to certain systems within its zone. On the back end, another firewall is placed to prevent unauthorized access from the DMZ into the private network.
A DMZ serves as a staging area between an organization’s private network and Internet. In order to share a document with a trading partner, an internal program or employee can first copy the file from the private network onto a server in the DMZ. The partner can then download the file from that server using FTPS, SFTP, or HTTPS. Trading partners can also share files with the organization by uploading to a server in the DMZ through a similar process.
Is the DMZ dangerous?
Staging files in a publicly accessible DMZ comes with vulnerabilities.
For example, if attackers gain entry to a file server in the DMZ, they may be able to access user credentials or sensitive trading partner files that were placed there, encrypted or not. In fact, data security compliance auditors are increasingly prohibiting data storage in the DMZ. Also at risk is your file sharing software, especially if it’s administered from the DMZ itself. An attacker could create a "back door" user account into an SFTP server through its admin console, and this seemingly "legitimate" user could then be used to gather sensitive data files over time.
An organization may react to these threats by moving its file sharing services (e.g. FTPS servers or SFTP servers) and sensitive data files from the DMZ into its private network. However, the private network’s inbound ports would traditionally need to be opened, which in turn creates an entirely new set of potential exposures and compliance issues.
Why do you need a DMZ secure gateway?
A DMZ secure gateway, like GoAnywhere Gateway, allows files to be shared without ever being stored in the DMZ or having to open inbound ports. It solves security concerns by allowing an organization to move file sharing and other public services from the DMZ into the private network. This software is stored on a hardened server in the DMZ and includes forward and reverse proxy services. To your trading partners, the process will appear to use the same protocols and ports as before.
Internal users can make connections to external systems while hiding the identities and locations of the internal systems for security purposes. When a trading partner wants to initiate a file exchange, the gateway will connect to the partner without opening any inbound ports. This makes the gateway like a "middle man" that acts between the user and the external server.
Learn more about these secret weapons of data security
Keep files moving in and out of your organization while protecting the mothership. Live long and prosper! For more information, download the entire complementary white paper on DMZ.
Download the DMZ Guide