The DMZ
Firewalls often have what is commonly called a DMZ. DMZ stands for demilitarized zone, which of course has nothing to do with computing. This is a military/political term referring to a zone created between opposing forces in which no military activity is allowed. For example, a demilitarized zone was created between North and South Korea.
Note
Using military nomenclature is common in the computing world. From demilitarized zones to Trojan horses to network warriors, we seem to love to militarize what we do, if only in name.
In the network security realm, a DMZ is a network that is neither inside nor outside the firewall. The idea is that this third network can be accessed from inside (and probably outside) the firewall, but security rules will prohibit devices in the DMZ from connecting to devices on the inside. A DMZ is less secure than the inside network, but more secure than the outside network.
A common DMZ scenario is shown in Figure 27-1. The Internet is located on the outside interface. The users are on the inside interface. Any servers that need to be accessible from the Internet are located in the DMZ network.
Figure 27-1. Simple DMZ network
In this network, the firewall should be configured as follows:
- Inside network
The inside network can initiate connections to any other network, but no other network can initiate connections to it.
- Outside network
The outside network ...
Get Network Warrior, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
