The DMZ

Firewalls often have what is commonly called a DMZ. DMZ stands for DeMilitarized Zone, which of course has nothing to do with computing. This is a military/political term referring to a zone created between opposing forces in which no military activity is allowed. For example, a demilitarized zone was created between North and South Korea.

In the realm of security, a DMZ is a network that is neither inside nor outside the firewall. The idea is that this third network can be accessed from inside, and probably outside the firewall, but security rules will prohibit devices in the DMZ from connecting to devices on the inside. A DMZ is less secure than the inside network, but more secure than the outside network.

A common DMZ scenario is shown in Figure 25-1. The Internet is located on the outside interface. The users are on the inside interface. Any servers that need to be accessible from the Internet are located in the DMZ network.

Simple DMZ network

Figure 25-1. Simple DMZ network

The firewall would be configured as follows:

Inside network

The inside network can initiate connections to any other network, but no other network can initiate connections to it.

Outside network

The outside network cannot initiate connections to the inside network. The outside network can initiate connections to the DMZ.

DMZ

The DMZ can initiate connections to the outside network, but not to the inside network. Any other network ...

Get Network Warrior now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.