Using firewalls to separate DMZ networks
DMZ networks (demilitarized zone networks, also known as perimeter networks) are isolated environments for servers that offer services mainly for external access.
| Description | Implications on Firewalls | |
|---|---|---|
| Main purpose | DMZs provide a limited number of services, mostly for external users. The services are often business-critical and open for public access. | The Firewall selects which traffic is permitted into and out of the DMZs. The Firewall typically also translates IP addresses from public IP addresses that are routable in the external networks to private addresses used in internal networks. VPNs can be used to provide services for partner-type users. |
| Hosts | A uniform environment consisting mainly of servers that often provide public or semi-public services. | A limited number of services are provided to an often large number of hosts. Some types of administrative access are allowed to a few specific trusted hosts. |
| Users | Mostly unknown, but some services can be for specific users. Administrators have wider permissions. | Users are often unknown or authenticated by the target servers themselves. Firewall authentication can be useful for restricting administrator rights from internal networks. |
| Traffic volume | Low to medium, generally the full bandwidth of all Internet links combined (shared with other local networks). Traffic to other local networks can be high in volume. | Hardware requirements vary depending on the environment. Clustering allows flexible adjustments to throughput. The inbound traffic management features can balance traffic between redundant servers. |
| Traffic type | Rather uniform traffic, with only specific applications and servers communicating within, into, and out of the networks. | The Firewall controls which traffic is allowed access in and out of each DMZ from external and internal networks. Usually, only a few specific services have to be allowed. Advanced inspection checks can be activated on the Firewall and traffic can be redirected to a proxy service, depending on the protocol. |
| Network security | A network between the trusted and untrusted security zones allowing access for authorized and public use. | External access to services makes the servers in a DMZ a target for attacks. Connections between the DMZ networks and to other internal networks facilitate further attacks, so these connections must be strictly controlled. |