A key element of federal cybersecurity is a network demilitarized zone, or DMZ, which comes from the military term designating a neutral area that separates warring parties.
Network DMZs are nothing new, and some agencies have been using them for decades. Yet they have taken on growing importance, since agencies can use them to publish open data for the public — which they are required to do in many cases —while still keeping the data and internal networks secure.
What is a DMZ Network?
A network DMZ separates the public (and potentially malicious actors) from internal networks and sensitive data. The State Department has been using DMZ technology since the late 1990s, according to a State Department official.
Its purpose “is to enforce the internal network’s information assurance policy for external information exchange and to provide external, trusted and untrusted sources with restricted access as required to releasable information while shielding the internal networks from outside attacks.”
How do Government Agencies use DMZ Networks?
What does that mean in plain English? According to the official, the agency uses the DMZ to “exchange information with other government agencies, non-government organizations and the public.” DMZs can leave some information open to the public but protect other information. The State Department official says that the agency’s DMZ “contains information required to share with other government agencies, non-government organizations and the public that is necessary for the department to successfully conduct its diplomatic mission.”
The technologies the State Department uses to deliver the services within the DMZ “provide access to information for consumers outside of the department in a standardized, reliable and secure manner,” the official adds.
Which Government Agencies Use DMZ Networks?
Other agencies have also deployed network DMZs. In early 2010, the Defense Information Systems Agency, the Defense Department’s IT services arm, first announced plans to use DMZ technology to “cordon off its unclassified networks from public Internet access, creating a ‘demilitarized zone’ isolating Web-based servers and applications from other defense systems,” the publication Defense Systems reported.
In early 2011, Dave Mihelcic, then DISA’s CTO, announced that the agency had created a DMZ “for unclassified applications to help manage access and improve security between the public Internet and Unclassified but Sensitive IP Router Network,” which was formerly known as NIPRNet, according to GCN.
“If we are under a cyberattack we could potentially crank up the level of security for most of our servers inside and yet leave certain critical e-commerce servers open to the internet, still with security controls, but we don’t have to cut them off,” Mihelcic said at the time, according to Federal News Radio. “It’s a collection of services to secure both inbound and outbound traffic, and control what is exposed and what isn’t.”
DISA also operates DMZs for the Secret IP Router Network (SIPRNet) Federal DMZ (FED-DMZ) and the SIPRNet Releasable (SIPR REL) DMZ, the agency notes. SIRPNet provides point-to-point connectivity to mission partners, as well as “IP-based secret information transfer across DOD for official DOD business applications such as e-mail, web services, and file transfer.”
DMZs also allow agencies to release information to the public while protecting the integrity of their data and networks. If agencies want to provide data to the public, they can replicate their data, perhaps through virtualization, within a DMZ, Rod Turk, the CISO and acting CIO of the Commerce Department, told Nextgov.
The data in the DMZ would not be the database of record — the central and original source of the data, Turk explains. Agencies can update the data in the DMZ for public use and consumption.
However, if that data is then hacked or compromised, agencies can “just remove the data from the DMZ and just reload from the database of record. So what you’ve really done is you’ve segmented the database of record from the data that’s available to the public, that may be more exposed to issues,” he says.
How to Secure a DMZ Network for your Government Agency
How are agency DMZs secured in practice? According to the State Department official, the agency’s DMZ “is built by leveraging security in depth.”
Hardware and software firewalls control access at the network layer and segment the DMZ into security zones based on the security categorization of the information being exchanged, the official says.
Further, the official says, “host and network intrusion detection and prevention technologies are deployed throughout the DMZ segments to protect the environment from mischievous activities.”
The State Department also uses centralized authentication, authorization and roles-based access management technologies to control user-level access to each system, according to the official. For even greater protection, the official says, “the applications within the DMZ are segmented from each other and structured into distinct layers,” such as web, application and database tiers.
DISA has an entire document devoted to how connections can be made to the Defense Information Systems Network, or DISN, which outlines how its network DMZs operate. There are different guidelines for SIRPNet connections and Sensitive But Unclassified IP Data network connections.
DISA’s Internet Access Point (IAP) DMZ virtual private network service provides mission partners the ability to obtain internet access through an Multiprotocol Label Switching (MPLS) layer 3 VPN at any Defense Enterprise Computing Center (DECC) location. “It is an enterprise VPN service providing IAP internet access to mission partners across the DISN,” the agency notes.
“This service is the implementation of [MPLS] VPN to move traffic across the DISN from Internet Access Point (IAP) to DMZ Extension,” DISA says. The services use virtual routing and forwarding and virtual firewalling techniques to terminate the connection at an enclave boundary, or the point at which a network enclave’s internal network service layer connects to an external network’s service layer, in other words to another enclave or to a WAN.