Firewalls often have what is commonly called a DMZ. DMZ stands for demilitarized zone, which of course has nothing to do with computing. This is a military/political term referring to a zone created between opposing forces in which no military activity is allowed. For example, a demilitarized zone was created between North and South Korea.
Using military nomenclature is common in the computing world. From demilitarized zones to Trojan horses to network warriors, we seem to love to militarize what we do, if only in name.
In the network security realm, a DMZ is a network that is neither inside nor outside the firewall. The idea is that this third network can be accessed from inside (and probably outside) the firewall, but security rules will prohibit devices in the DMZ from connecting to devices on the inside. A DMZ is less secure than the inside network, but more secure than the outside network.
A common DMZ scenario is shown in Figure 27-1. The Internet is located on the outside interface. The users are on the inside interface. Any servers that need to be accessible from the Internet are located in the DMZ network.
Figure 27-1. Simple DMZ network
In this network, the firewall should be configured as follows:
The inside network can initiate connections to any other network, but no other network can initiate connections to it.
The outside network cannot ...