The demilitarized zone (DMZ), also known as the perimeter network, is a physical or logical subnetwork that creates separation between an internal network and an external untrusted network (usually the Internet). The DMZ provides an additional layer of security to the internal network.

External services such as mail servers, DNS servers, FTP servers, and web servers are exposed within the DMZ. These types of servers are commonly targeted by attackers to gain access to the internal network if they reside within the internal network. By relocating them to the DMZ, the attacker will still not have breached the internal network even if they are able to compromise one of these servers.

This rationale may seem a bit confusing but many of these servers and services are not critical to business continuity. All of these servers will have redundancy and readily available backups. If these servers were within the internal network, an attacker essentially has free reign to any trade secrets, financial data, employee data, databases, etc. With these servers in the DMZ the assets essential to business continuity are protected within the internal network.

Any service that is provided to users in an external network should be located within the DMZ. A mail server in the DMZ should forward incoming mail from the external network to an internal mail server and the internal mail server will pass outgoing mail to the DMZ mail server. This creates separation of duties amongst the mail servers while providing an additional layer of security to the network.

There are two common ways to implement a DMZ architecture: single firewall and dual firewall.

Continue reading..