问题
I have to configure a Java application which is hosted in side a corporate network. So what is DMZ and how to get through to expose the services?
回答1:
DMZ (network):
In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. The term is normally referred to as a DMZ by IT professionals. It is sometimes referred to as a Perimeter Network. The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.
回答2:
The DMZ zone is an area of your local (home or corporate) network that is accessible from the outside (internet).
Typically, in home router there is a configuration that allows you to specify which computer (IP) is in the DMZ and the router will forward requests from the internet to that computer. That computer can then host services (http, ftp, ssh, ...) that will be available to the internet. Depending on the router, this will be more or less configurable.
In your case, I dont think that there anything special to do in the java application (other than binding the server socket on the right ip... if you have more than one which you probably don't). You will have to configure the corporate router (or ask IT) to add your computer to the DMZ. They will probably give you an external ip (matched to your computer internal ip) than can be used to access your service from the internet.
回答3:
Reasons why you want a DMZ and the benefits it offers. The general idea is that you put your public faced servers in the "DMZ network" so that you can separate them from your private, trusted network. The use case is that because your server has a public face, it can be remotely rooted. If that happens, and a malicious party gains access to your server, he should be isolated in the DMZ network and not have direct access to the private hosts (or to a database server for example that would be inside the private network and not on the DMZ).
How to do it: There are several ways, but the 'book example' is by utilizing two firewalls (of course you can achieve the same result with one firewall and smart configuration, although hardware isolation is nicer). Your main firewall is between internet and the server and the second firewall between the server and the private network. On this second firewall, all access from the server to the private network ideally would be forbiden (of course it would be a statefull firewall so if you initiate a connection from the private network to the server it would work).
So, this is a fairly high level overview of DMZ. If you want more technical details please edit your question accordingly.
copied from stack exchange web site : https://security.stackexchange.com/questions/3667/what-is-the-real-function-and-use-of-a-dmz-on-a-network
来源:https://stackoverflow.com/questions/2439564/what-is-dmz-in-networking