11.1. DMZ Network Design

Traditionally, the DMZ network design was done at the router level. A separate interface was added to the router, and a network segment was set aside strictly for the public servers. This network segment is connected directly through a router interface, and none of the traffic destined for the servers is routed through the firewall (Figure 11.1).

Figure 11.1. A traditional DMZ design: The DMZ network terminates at the router, and none of the DMZ servers are protected by the firewall

The problem with this traditional design is that it does not adequately take into account the security needs for these public servers. ...

Get The Practice of Network Security: Deployment Strategies for Production Environments now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.