The DMZ helps protect your organization's private network by adding a layer of security. For example, in South Korea, there is a land called the Demilitarized Zone (DMZ), which is 4 km wide and separates the north and the south. This area of land is a security measure between the two countries. After the war, the DMZ was created as a physical buffer to prevent or limit the effects of attacks from another side. Therefore, if one layer fails or has no effect, another layer can implement the defense. From this, we get the network security concept of a DMZ.
To add security, there are firewalls and IPS across all networks. This adds multiple layers of security that an attacker must compromise before reaching a protected resource. Like a spacecraft airlock chamber, the DMZ network protects sensitive data from the outside world. The DMZ network is located between the Internet and your organization's private network to manage access and traffic flow.
The DMZ essentially acts as an intermediary between an organization's private network and the Internet. To correctly share a document with a business partner, an internal program or employee would first have to copy the desired file from their own network to a server in the DMZ. The partner can then download files from this server using a trusted protocol, such as FTP/FTPS, SFTP, or HTTP/HTTPS. When business partners need to share documents with an organization, they upload the file to a server in the DMZ. Then an internal program or an employee will search for files on the server and extract them to his private network.
While many organizations exchange files using DMZs, organizing files in a vulnerable location such as an easily accessible DMZ leaves them vulnerable to many malicious attacks from enemy territory. DMZ can have a major security impact if not properly protected. In the event that a hacker gains access to the file server in the DMZ, they can access and download the sensitive data and commercial partner files that have been located there. Even encrypted files can be exposed to high-level attackers if the key or password is compromised.
There's also a high chance that credentials, certificates, or anything else needed for authentication are kept in the DMZ, increasing a security hole. File sharing software itself is at risk, especially if accessed from the DMZ. For example, let's say a malicious attacker gains access to your territory by creating a "backdoor" user account in the SFTP server through their admin console. This user account may appear "legitimate" and give hackers the ability to steal sensitive data files. Audit logs can also be manipulated if they are stored in the DMZ, allowing an attacker to erase any trace of where they have been.
