Chapter 11. The DMZ

A common design used to enhance network security is the DMZ, also known as a perimeter network. A DMZ is a way of separating sensitive information from that designed to be publicly available. Servers in the DMZ have to be available to all users, but they still need some level of protection. Servers most commonly placed within a DMZ are web, DNS, and mail servers.

The DMZ is a good example of layered security design. By isolating the public servers into a segmented network there is little chance that data between the two networks will be shared. This isolation prevents an attacker who manages to gain access to one of the servers within the DMZ from further penetrating into the network. That is the purpose of the DMZ: to isolate and limit the damage an attacker can do by gaining access to a server.

The most common use of a DMZ is to isolate servers that require public access. However, that is not the only purpose that DMZs can serve. A DMZ can be used to isolate servers on a network, limiting who can access them. It can also be used to isolate whole networks from the rest of the organization; this is especially true in cases where extreme privacy is required.

While there are many uses for the DMZ, the primary use is to isolate public servers. Of course, like most aspects of security, there is some debate about the best way to implement a DMZ. There is also debate about whether a single DMZ or multiple DMZs is the most efficient design. The truth is that what is considered the best DMZ design will vary from network to network, and will be dependent largely on the security needs as well as the budget that is available to the network.