Let's assume that you have the following configuration:
terminal.-~~~-. .- ~ ~-( )_ _ / ~ -. | Internet \ \ .' ~- . _____________ . -~ | | | | +-----------+ / /| +-----------+ | | | + | Firewall | / | |/ +-----------+ | | | +----+ / /| +----+ | | | + | |/ +----+ Server
Let's assume that the firewall is blocking internet traffic (inbound/outbound). As the server is isolated from the internet, you can say that it is on a demilitarized zone network (DMZ).
Normally, servers on DMZs contain sensitive data from an organization.
For example, let's assume that this server is collecting data from 3 sensors on the roads, and it's counting vehicles.
terminal.-~~~-. .- ~ ~-( )_ _ / ~ -. | Internet \ \ .' ~- . _____________ . -~ | | | | +-----------+ / /| +-----------+ | | | + | Firewall | / | |/ +-----------+ | | | Sensor 1 (road A) +----+ / / /| / +----+ | ------- Sensor 2 (road B) | | + \ | |/ \ +----+ Sensor 3 (road C) Server
Let's assume that the server is collecting the information and storing it on a table:
terminal| sensor | road | time | number of vehicles | |--------|------|-------|--------------------| | 1 | A | 02:00 | 25 | | 2 | B | 02:00 | 50 | | 3 | C | 02:00 | 40 |
As the data remains inside the DMZ, this configuration is fine.
Now, let's assume that the server needs internet access to get temperature data. If the data is on a public internet website, the firewall needs to allow outbound and inbound traffic from the website's IP.
terminal.-~~~-. .- ~ ~-( )_ _ / ~ -. | Internet \ *-------------------* \ .'-------- | Temperature web | ~- . _____________ . -~ *-------------------* | | | | +-----------+ / /| +-----------+ | | | + | Firewall | / | |/ +-----------+ | | | Sensor 1 (road A) +----+ / / /| / +----+ | ------- Sensor 2 (road B) | | + \ | |/ \ +----+ Sensor 3 (road C) Server
And here is the example of data obtained:
terminal| sensor | road | time | number of vehicles | temperature (Cº) | |--------|------|-------|--------------------|------------------| | 1 | A | 02:00 | 25 | 25 | | 2 | B | 02:00 | 50 | 27 | | 3 | C | 02:00 | 40 | 22 |
Even though DMZs aren't supposed to have access to the internet, in some particular cases, it'll be necessary to configure the firewall to allow access to specific addresses (again, not recommended).
Hi, I'm Erik, an engineer from Barcelona. If you like the post or have any comments, say hi.