I have recently sat in some networking lectures and have a few questions about DMZ.
The example that I was given was: I have an office, in which it has a private network. In that private network, there is a database which stores all of the office's figures, as well as bank transaction details and staff details.
There was a requirement for the office's headquarters to access the store's figures. The lecturer introduced DMZ, but didn't go into enough detail.
Q1. Would the DMZ simply have a web server sitting within it, which would then get updated periodically by the private network's database? (only updating the web server with the store's figures of course). Or would the web server be the one querying the internal database? Pardon my ignorance here.
Q2. Assuming that there were two firewalls installed in the network, Firewall 1 only allowing traffic from the Internet destined for the DMZ, and Firewall 2 only allowing traffic from the DMZ to the internal network. How would the private network have Internet access? Would Firewall 1 and Firewall 2 also be set up to allow HTTP and HTTPS traffic destined for the private network?
Please note, that computer networking is my weakest subject, so I apologise in advance if I have missed anything fundamental out. I am just looking to enhance my understanding of DMZ.
Thanks in advance.
Best Answer
Q1: Either way would work, and it would likely be dependent on the application. One could argue that pushing the data to the web server might be more secure.
Q2: The firewalls also allow connections to start from the inside (trusted) to the outside (untrusted). This is the default policy for most firewalls. Note that the direction (who is initiating the connection) is important here: inside to outside is normally allowed, outside to inside is only allowed for specific hosts and protocols.