DMZ:

• DMZ stands for DeMilitarized Zone, is a physical or logical sub-network that separates an internal local area network from other untrusted networks, the Internet.
• External-facing servers, resources and services are located in the DMZ so they are accessible from the Internet but the rest of the internal LAN remains unreachable.
• It provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the Internet.
• Any service that is being provided to users on the Internet should be placed in the DMZ. The most common of these services are: Web, Mail, DNS, FTP, and VoIP.
• The systems running these services in the DMZ are reachable by hackers and cybercriminals around the world and need to be hardened to withstand constant attack. A DMZ is referred to as a perimeter network.
• There are various ways to design a network with a DMZ. The two most common methods are with a single or dual firewalls. These architectures can be expanded to create very complex architectures depending on the network requirements.
• A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface.
• Different sets of firewall rules for traffic between the Internet and the DMZ, the LAN and the DMZ, and the LAN and the Internet tightly control which ports and types of traffic are allowed into the DMZ from the Internet, limit connectivity to specific hosts in the internal network, and prevent unrequested connections either to the Internet or the internal LAN from the DMZ.
• A more secure approach is to use two firewalls to create a DMZ. The first firewall also called the perimeter firewall is configured to allow traffic destined to the DMZ only. The second or internal firewall only allows traffic from the DMZ to the internal network.
• This is considered more secure since two devices would need to be compromised before an attacker could access the internal LAN. As a DMZ segments a network, security controls can be tuned specifically for each segment.
• For example a network intrusion detection and prevention system located in a DMZ that only contains as Web server can block all traffic except HTTP and HTTPS requests on ports 80 and 443.

Layer 7 filtering:

• Layer 7 filtering is identifying traffic at layer 7 (Application Layer) of the OSI model.
• Layer 7, the application layer of the OSI (Open System Interconnection) Model, supports application and end-user processes, such as HTTP and SMTP.
• Application-layer filtering devices certainly provide better content filtering capabilities. They have the ability to examine the payload of a packet and make decisions based on content.
• Many application-layer firewalls allow you to create filters to intercept, analyze or modify traffic specific to your network.
• Instead of shaping/filtering based on the port and source/destination, a stream is identified based on its contents. It is sometimes called deep packet inspection since it works by looking into the contents of the packets not just the headers.
• Layer 7 might be used to deal with packets that use dynamic source and destination ports. Application-layer filtering systems can not only authenticate users directly, but filters can be used to implement security policy rules for viewing, analyzing, blocking, redirecting or modifying traffic.

Layer 7 filtering limitations:

• It is very CPU-intensive. Every packet passed through Layer 7 inspection has to be scrutinized.
• It cannot identify encrypted traffic, making its use for identifying some protocols such as Bittorrent limited at best.
• It works based on regex patterns, so if a protocol changes slightly the pattern may not match.
• It cannot be used to make routing/gateway decisions. A protocol cannot be identified by Layer 7 classification until a connection has already been established. By that time it is too late to make a routing decision to send it out a different WAN.