What happens when we place the authentication system in our demilitarized zone (DMZ

1) A demilitarized zone (DMZ) refers to a buffer network (subnet) that exists between the private network and untrusted network, for instance, the internet. Generally, the demilitarized zone contains publicly accessible resources, which include email servers, and Web, among others (Dadheech et al., 2018). More importantly, creating a demilitarized zone forms part of the layered security approach. When we place the authentication system in our demilitarized zone, the private network gets protected from unauthorized access. The authentication system requires internet users to provide authentication details for them to gain entry into the private network (Jiang et al., 2018). The servers located within the private network, therefore, get protected from compromise by attackers.

To protect the authentication system, we should place a Virtual Private Network (VPN) server inside the demilitarized zone to make the internet users authenticate to the VPN server (Dadheech et al., 2018). Packet-filtering firewalls should then be established to filter the elements that pass through the VPN. We should then allow the communication to come from the VPN server since the inner firewall allows only the communication that comes through the VPN server (Dadheech et al., 2018). This strategy helps in controlling the access of resources by unintended internet users. Strong passwords and access codes should be used to protect the authentication system from hackers (Jiang et al., 2018). This placement facilitates authentication significantly by allowing only authorized users to access resources on the network.

If we move the authentication system to a tier behind the demilitarized (DMZ), a more trusted zone is created. The demilitarized zone (DMZ) functions as the initial security point before the user reaches the authentication system, and this helps in strengthening the security of the internal servers within the network (Jiang et al., 2018). Blocking of the data elements, also, becomes easier within the network, and the internal network is thus protected from access by unauthorized internet users. In other words, moving the authentication system to a tier behind the DMZ provides double protection to the internal network. The implication of moving the authentication system to a tier behind DMZ is to create a double authentication system as a way of strengthening the security of the internal server (Dadheech et al., 2018). Concerning the security, the implication of moving the authentication system to a tier behind DMZ is to create an additional layer of security that restricts the internet users from trespassing into the internal servers of the organization. The establishment of the authentication system, in addition to the demilitarized zone, helps the organizations to protect their internal servers from access by unauthorized users (Jiang et al., 2018).

2) Placing the authentication system in a DMZ protects the system from possible intrusion and attacks that may compromise the system. All internet users will be required to gain authorization to access the private network within the DMZ. Implementing a DMZ in any network system is a strategy that supports a layered security approach. Placing the authentication system in the DMZ will enable internet users to access public resources, including email servers and web servers, without necessarily gaining access to the main system networks. A DMZ serves as a wall that separates the private network from an untrusted network such as the internet (Hawrylak et al., 2019). Unauthorized and unverified traffic cannot gain entry into the private network when authentication is done in the DMZ. An attempt by hackers or internet users to breach the system will only compromise servers within the DMZ. An internet user seeking access to the private network would be required to authenticate in a VPN server within the DMZ. However, this strategy will require specific ports that would otherwise be closed to be opened.

Authentication is very crucial for promoting network security. It differentiates between system users that are allowed access and those that are not permitted access before authorization can be done — as such, protecting the authentication system is a fundamental practice to promote maximum network security. First, all system users should be assigned unique credentials. It can enable system administrators to track the activities of each user effectively. The use of different credentials, such as passwords for various accounts, enhances the security of the authentication system (Aldrian et al., 2017). The passwords must also have a complex structure to make it difficult for hackers to crack. Other strategies to protect the authentication system include the use of multiple authentication requirements and encryption.

This placement improves the effectiveness of authentication systems, thus promoting system security. Practices that secure the authentication systems will ensure that access is only granted to users who have authentic credentials. The main network frame, including private network servers, is protected from unauthorized system users (Wang et al., 2017). It is an advantage to the system administrators but a disadvantage to the system users. The authentication performance may improve when the authentication systems are moved to a tier behind the DMZ. This is mainly because not much restriction will exist behind the DMZ. However, this might, in some way, compromise the system’s security because the DMZ serves as an extra layer of security.

3) A demilitarized zone (DMZ) is a buffer network, that sits between the private network and an untrusted network. A DMZ consists of publicly-accessible resources, such as Web, FTP, or email servers. Creating a demilitarized zone (DMZ) is part of a layered security approach.

If the firewall managing traffic into the DMZ fails, only the servers in the DMZ are subject to compromise. The LAN is protected by default. Packet filters on the firewall allow traffic directed to the public resources inside the DMZ. Packet filters also prevent unauthorized traffic from reaching the private network. When designing the firewall packet filters, a common practice is to close all ports, opening only those ports necessary for accessing the public resources inside the DMZ.To allow access to private resources from the internet, use one of the following approaches: Place a VPN server inside the DMZ. Require internet users to authenticate to the VPN server. Then allow communications from the VPN server to the private network. Only communications coming through the VPN server are allowed through the inner firewall. Copy resources that are accessible to internet users to servers inside the DMZ. Even with authentication and authorization configured, this approach exposes those resources in the DMZ to internet attacks.

Typically, firewalls allow traffic originating in the secured internal network into the DMZ and through, to the internet. Traffic that originates in the DMZ (low-security area) or the internet (no-security area) should not be allowed access to the intranet (highsecurity area).

Yes, it is possible to place the Authentication Proxy in a DMZ.

If you do place your proxy in a DMZ, ensure the following:Port 443 to accept only inbound/outbound traffic from the DMZ to external networks. No inbound LDAP or RADIUS ports are open to the outside.Inbound access to your LDAP or RADIUS server if permitted if you’ve configured the Authentication Proxy to perform primary authentication. Also note: we recommend that you encrypt sensitive items like your service account password and RADIUS secret in your config file.

One of the example from blog that explains the DMZ used in a company, The best idea, in my opinion, is to configure a separate forest in the DMZ and consider it a resource forest. That is, no user accounts in that forest. Then use a feature called Selective Authentication to allow only a pre-determined set of users to authenticate to that resource forest. This will limit the exposure of your internal AD forest, yet allow for centralized administration of the accounts. Generally speaking, the financial cost of deploying a second forest, ( OS licenses, redundancy, backup and DR considerations, patch maintenance etc) would be better spent on adding multi-factor authentication to your primary account forest, or a subset of those users.