1 00:00:00,05 --> 00:00:03,02 - [Instructor] When opening a file port 2 00:00:03,02 --> 00:00:06,03 and enabling port forwarding, a risk is 3 00:00:06,03 --> 00:00:10,03 that some internal hosts, such as web servers, 4 00:00:10,03 --> 00:00:13,07 are now accessible on the internet. 5 00:00:13,07 --> 00:00:15,05 There's always a chance 6 00:00:15,05 --> 00:00:19,06 of an attacker compromising the web server. 7 00:00:19,06 --> 00:00:21,03 A compromised web server 8 00:00:21,03 --> 00:00:25,04 in the same network could infecting other hosts, 9 00:00:25,04 --> 00:00:28,01 and make them vulnerable too. 10 00:00:28,01 --> 00:00:29,00 DMZ is a solution to preventing this unfortunate scenario. 11 00:00:29,00 --> 00:00:33,08 DMZ is a solution to preventing this unfortunate scenario. 12 00:00:33,08 --> 00:00:35,01 DMZ stands for demilitarized zone. 13 00:00:35,01 --> 00:00:38,04 DMZ stands for demilitarized zone. 14 00:00:38,04 --> 00:00:41,08 It's a buffer area between an internal network 15 00:00:41,08 --> 00:00:44,01 and an external network. 16 00:00:44,01 --> 00:00:48,05 Therefore, DMZ further separates the internal network 17 00:00:48,05 --> 00:00:51,09 into a publicly, accessible area, 18 00:00:51,09 --> 00:00:56,04 and a protected area off limits to public access. 19 00:00:56,04 --> 00:00:57,04 DMZ allows us to avoid a situation 20 00:00:57,04 --> 00:01:00,05 DMZ allows us to avoid a situation 21 00:01:00,05 --> 00:01:03,08 where an internal network is directly exposed 22 00:01:03,08 --> 00:01:06,04 to the external network. 23 00:01:06,04 --> 00:01:07,03 This way, a compromised host in the DMZ does 24 00:01:07,03 --> 00:01:10,09 This way, a compromised host in the DMZ does 25 00:01:10,09 --> 00:01:15,03 not affect other hosts and make them less vulnerable. 26 00:01:15,03 --> 00:01:20,07 DMZ also allows more fine-grained network traffic monitoring 27 00:01:20,07 --> 00:01:24,02 by further dividing an internal network 28 00:01:24,02 --> 00:01:28,01 and placing more security controls. 29 00:01:28,01 --> 00:01:29,00 One-legged topology is the most basic DMZ architecture. 30 00:01:29,00 --> 00:01:34,06 One-legged topology is the most basic DMZ architecture. 31 00:01:34,06 --> 00:01:39,09 Topology here means a structure of how we connect hosts. 32 00:01:39,09 --> 00:01:40,08 To create a one-legged DMZ, 33 00:01:40,08 --> 00:01:43,02 To create a one-legged DMZ, 34 00:01:43,02 --> 00:01:46,02 we need to build on a net firewall host 35 00:01:46,02 --> 00:01:47,00 by connecting a DMZ subnet to it. 36 00:01:47,00 --> 00:01:50,00 by connecting a DMZ subnet to it. 37 00:01:50,00 --> 00:01:53,04 We also need one more network interface card 38 00:01:53,04 --> 00:01:56,09 that is a third network interface card, 39 00:01:56,09 --> 00:01:57,07 and a switch to connect multiple hosts 40 00:01:57,07 --> 00:02:00,07 and a switch to connect multiple hosts 41 00:02:00,07 --> 00:02:03,07 to the new network interface card. 42 00:02:03,07 --> 00:02:08,00 The diagram here shows that you could introduce a DMZ 43 00:02:08,00 --> 00:02:12,08 to an existing net firewall host by adding another switch, 44 00:02:12,08 --> 00:02:15,08 and the third network interface card. 45 00:02:15,08 --> 00:02:16,08 The reason this setup is called "one-legged DMZ" is 46 00:02:16,08 --> 00:02:21,01 The reason this setup is called "one-legged DMZ" is 47 00:02:21,01 --> 00:02:22,08 that the DMZ is connected 48 00:02:22,08 --> 00:02:25,09 to only one network interface card. 49 00:02:25,09 --> 00:02:27,09 In a full-blown DMZ, 50 00:02:27,09 --> 00:02:31,04 there'll be two network interface cards involved. 51 00:02:31,04 --> 00:02:34,09 One connected to the first net firewall host 52 00:02:34,09 --> 00:02:39,05 facing the external network, and the other connected 53 00:02:39,05 --> 00:02:44,00 to the second net firewall host facing the internal network.