Trusted, Untrusted, and DMZ Defined

The PIX firewall always contains trusted and untrusted areas that are used to identify the types of areas around the firewall. Firewalls with more than two interfaces can contain areas called DMZs. These areas are created to support servers that need to be accessed from an untrusted area without compromising the trusted locations. This section covers each in more detail.

Trusted

The term trusted is used to refer to users and computers that are in an area considered more secure or protected. This area is typically a private section of the network that needs to be protected against malicious hackers and other security threats. Security in the trusted area is established by blocking all traffic from less trusted sections of the firewall.

Untrusted

The term untrusted defines areas of the network that might contain malicious hackers or other security threats. One good example of an untrusted area is the Internet side of your firewall or even segments of your own internal network that are exposed to unknown access. Such an area could be a segment exposed to outside use ”for example, kiosk computers on a storeroom floor.

DMZ

The demilitarized zone ( DMZ ) sits between both trusted and untrusted areas and usually hosts computers that need to be available to users from both of these areas. For example, a Web server in the DMZ can be accessed by people on the Internet, which is untrusted, as well as by users in the private trusted network. From the perspective of the inside, private, and trusted portion of your network, the DMZ area is considered untrusted, so traffic initiated from computers in the DMZ is blocked.