11.1. DMZ Network Design
Traditionally, the DMZ network design was done at the router level. A separate interface was added to the router, and a network segment was set aside strictly for the public servers. This network segment is connected directly through a router interface, and none of the traffic destined for the servers is routed through the firewall (Figure 11.1).
Figure 11.1. A traditional DMZ design: The DMZ network terminates at the router, and none of the DMZ servers are protected by the firewall
The problem with this traditional design is that it does not adequately take into account the security needs for these public servers. ...