functioning of their operation. With the installation of some equip-
ment and some time to configure, a VPN, in combination with a
solid firewall and a DMS, will increase productivity and profit—for
less than the cost of a new car.
5.4 Setting up a demilitarized zone: A VPN
Not really alternative in terms of the technology, but a so-called
philosophical diametric to a VPN can be a demilitarized zone
(DMZ). Philosophically, the purpose of both a DMZ and a VPN is
to protect business data and resources from unauthorized access and
grant access to allowed functions to outside users. A DMZ, unlike a
VPN, is an area that is like a bastion between the internal network,
the firewall device, and the Internet. Historically, DMZs were cre-
ated through the layering of firewall devices. However, with
improvements in electronics and firmware, setting up a DMZ can be
as easy as plugging a Category 5 (CAT5) Ethernet cable into an
Ethernet port labeled “DMZ” on the firewall. Figure 5.2 is a repre-
sentation of a typical firewall/DMZ arrangement. Depending on
configuration, interestingly, a VPN may even be used to connect to
A DMZ is a good place to put machines that need to be accessed via
the external Internet when placing them in the internal network is
too risky. This may be because the ports that need to be opened for
certain types of functions (such as web and file serving) are more
vulnerable, are hacker magnets, and should a single machine on the
internal network be compromised, it is a hacking waterfall, and
every other machine will be at risk or compromised in short order.
Things such as FTP servers, file servers, web servers, and mail servers
are often placed in a DMZ.
5.4.2 Theory of operation
In its simplest terms, a DMZ is a separate network that sits between
two “firewalls.” It takes two devices to make a firewall because it is,
definitively, the more vulnerable of two networks sitting side by side.
100 5.4 Setting up a demilitarized zone: A VPN alternative?