Distinction between an extranet and a DMZ

These are academic distinctions. In the real world, you will find some combination of all of these concepts going by different terms.

In some organizations, a DMZ has a separate ISP network connection and has no access to internal resources. In other organizations, there are domain-joined machines in the DMZ that can communicate to a restricted set of internal machines. Sometimes internal and DMZ have separate firewalls. Sometimes they have separate interfaces on the same firewall.

It is important to know why someone should use an extranet or DMZ, because those are the security concepts that matter. From there, you can make a choice about how to allow access to certain resources. What it is actually called doesn't matter. In some cases, it is splitting hairs.


I don't think I've recently heard of an extranet outside of textbooks and class rooms.

A DMZ is a common networking topology with a network segment that is segregated by firewalls from the internal network and untrusted external networks (aka the internet).

In contrast the Extranet, if it is actually included in the network design, implies somewhat that it is connected to VPN's or actual private networks instead of the whole of the greater internet.

Many companies have multiple DMZ networks and would consider a network with a VPN gateway/router or a private interconnect just another DMZ.

More often an extranet is/was not so much a network topology but more implied to be a service separate from the internal network that is provided for a restricted set of somewhat trusted, known and/or authenticated external users, companies and networks.

From a networking perspective your webserver should reside in the DMZ network. The fact that your website allows your resellers to log in, browse your catalog, view stock and order, would mean that your website would be called an extranet by marketing departments. Development cost would go from $$ to $$$$.


For me, I boil this down to security policy. We have written policy that no publicly accessible system will have inbound access to the intranet unless specific exception is authorized. We also have a policy that the DMZ will not have inbound access to our intranet and that our extranet does. For example, we have a web server with backend database that must sync data with an intranet-based database. We put the web server on the DMZ, the backend database on the Extranet, and it syncs with the production intranet database. So for trust rating, public network would be 0, DMZ would be 1, Extranet would be 2, and intranet would be 3.

Tags:

Vpn

Dmz

Intranet

Related

scp inside sh-script with passphrase HAProxy error: Some configuration options require full privileges, so global.uid cannot be changed MySQL remote connection - Access denied for user 'username'@'localhost' (using password: YES) ssh host key certificates, find validity period remotely? How to get dig +short to return something when there is no answer? Advanced Audit Policy not getting applied on 2012 R2 proFTPD unable to determine IP address Windows Server Backup Fails: There is not enough disk space to create the volume shadow copy... How to use terraform.io to change the image of a stateful server without downtime or data loss? Automatic way to increase zone file serial number by one in BIND9 Invalid command 'AuthType', perhaps misspelled or defined by a module not included in the server configuration location of 70-persistent-net.rules in Centos 7

Recent Posts