Page 448 - StudyBook.pdf
P. 448
432 Chapter 7 • Topologies and IDS
In addition, when a number of these features are implemented on any single
device (especially a firewall), it creates a wide opportunity for a successful attacker if
that device is ever compromised. If one of these new hybrid information security
devices are chosen, it is important to stay extra vigilant about applying patches and
to include in the risk mitigation planning how to deal with a situation in which
this device falls under the control of an attacker.
TEST DAY TIP
Risk mitigation, according to the Project Management Institute (PMI),
seeks to reduce the probability and/or impact of a specific risk below an
acceptable threshold. For more information on risk and project manage-
ment, see the PMI online at www.pmi.org.
Although the installation of a firewall or hybrid device protects the internal sys-
tems of an organization, it does nothing to protect the systems that are made avail-
able to the public Internet.A different type of implementation is needed to add
basic protection for those systems that are offered for public use.Thus enters the
concept of the DMZ.
EXAM WARNING
A DMZ is a special section of the network, usually closest to the
Internet, which uses switches, routers, and firewalls to allow access to
public resources without allowing this traffic to reach the resources and
computers in the private network.
Introducing the Demilitarized Zone
In computer security, the DMZ is a “neutral” network segment where systems
accessible to the public Internet are housed, which offers some basic levels of pro-
tection against attacks.The term “DMZ” is derived from the military and is used to
describe a “safe” or buffer area between two countries where, by mutual agree-
ment, no troops or war-making activities are allowed.There are usually strict rules
regarding what is allowed within the zone.When applying this term to the IT
security realm, it can be used to create DMZ segments in usually one of two ways:
www.syngress.com
