Figure A : DMZ Sample Topology
A DMZ is the most common and secure firewall topology. It is often referred to as a screened subnet. A DMZ creates a secure space between your Internet and your network, as shown in Figure A.
A DMZ will typically contain the following:
- Web server
- Mail server
- Application gateway
- E-commerce systems (It should contain only your front-end systems. Your back-end systems should be on your internal network.)
- considered very secure because it supports network- and application-level security in addition to providing a secure place to host your public servers. A bastion host (proxy), modem pools, and all public servers are placed in the DMZ.
- Furthermore, the outside firewall protects against external attacks and manages all Internet access to the DMZ. The inside firewall manages DMZ access to the internal network and provides a second line of defense if the external firewall is compromised. In addition, LAN traffic to the Internet is managed by the inside firewall and the bastion host on the DMZ. With this type of configuration, a hacker must compromise three separate areas (external firewall, internal firewall, and the bastion host) to fully obtain access to your LAN.
Many companies take it one step further by also adding an intrusion detection system (IDS) to their DMZ. By adding an IDS, you can quickly monitor problems before they escalate into major problems.