Firewalls often have what is commonly called a DMZ. DMZ stands for DeMilitarized Zone, which of course has nothing to do with computing. This is a military/political term referring to a zone created between opposing forces in which no military activity is allowed. For example, a demilitarized zone was created between North and South Korea.
In the realm of security, a DMZ is a network that is neither inside nor outside the firewall. The idea is that this third network can be accessed from inside, and probably outside the firewall, but security rules will prohibit devices in the DMZ from connecting to devices on the inside. A DMZ is less secure than the inside network, but more secure than the outside network.
A common DMZ scenario is shown in Figure 25-1. The Internet is located on the outside interface. The users are on the inside interface. Any servers that need to be accessible from the Internet are located in the DMZ network.
Figure 25-1. Simple DMZ network
The firewall would be configured as follows:
The inside network can initiate connections to any other network, but no other network can initiate connections to it.
The outside network cannot initiate connections to the inside network. The outside network can initiate connections to the DMZ.
The DMZ can initiate connections to the outside network, but not to the inside network. Any other network ...