In today’s business world, exchanging files with trading partners and customers is essential. There’s no doubt that data security and keeping private information secure is a pressing issue. Your organization has most likely considered the best way files can enter and exit your internal system: through a DMZ.
What is a DMZ?
A DMZ, or Demilitarized Zone, functions somewhat like the halfway point when an astronaut re-enters his/her ship without compromising anyone’s safety. It’s the neutral network that resides between your company’s private network and the Internet. It contains and exposes the organization to outside and not-to-be-trusted sources. It serves as a staging area between the private network and Internet.
How Does a DMZ Work?
An organization’s DMZ typically contains web servers, FTPS, SFTP, and HTTPS servers, along with other services it wants to make available to trading partners and customers.
It limits files on both ends and is provisioned with a front-end firewall that limits inbound Internet traffic to certain systems within its zone. On the back end, another firewall resides to prevent unauthorized access from the DMZ into the private network.
If a document needs to be shared with a trading partner, an employee or internal program can copy the file from the private network onto a server in the DMZ. The partner can then download the file from that server using SFTP, FTPS, or HTTPS. Through a similar process, trading partners can also share files with the organization by uploading to a server in the DMZ.
Is the DMZ Dangerous?
The act of staging files in a publicly accessible DMZ comes with a set of vulnerabilities.
For example, if an attacker were to gain entry to a file server in the DMZ, they then may be able to access sensitive trading partners that were placed there, encrypted or not, or potentially access private user credentials. In fact, data security compliance auditors are rapidly prohibiting storage in the DMZ. Even your file sharing software could find itself in danger, especially if it’s administered from the DMZ. An attacker could create a “back door” user account into an SFTP server through its admin console – this seemingly legitimate user could then be used to gather sensitive data files over time.
An organization may react to these threats by moving its file sharing services (i.e. SFTP or FTPS servers) and sensitive data files from the DMZ into its private network. However, the private network’s inbound ports would traditionally need to be opened, which in turn creates an entirely new set of potential exposures and compliance issues.
Why Do You Need a DMZ Gateway?
A DMZ Gateway, such as GoAnywhere Gateway, allows files to be shared successfully without ever having to store them in the DMZ or having to open inbound ports. This solves top security concerns by allowing an organization to move file sharing along with other public services from the DMZ into the private network. This software is stored on a hardened server in the DMZ and includes forward and reverse proxyservices. To your trading partners, this process will appear to use the same prior protocols and ports.
Internal users can make connections to external systems while hiding the locations and identities of the internal systems for security purposes. When a trading partner wants to initiate a file exchange, the gateway will connect to the partner without opening any inbound ports. Thus, making the gateway a “middleman” that acts between the user and external server.
Learn more about the powerful weapons of data security
Keep files seamlessly moving in and out of your organization. For more information, download this complementary guide on DMZ gateways.