Ask the Expert

Designing DMZs with various levels of access

I need some information on designing DMZs for my local users, customers, partners and application servers with different levels of access. I have more than 1,100 workstations on my LAN, and I want to define different levels of access for local users, too. I appreciate any guidance.

    Requires Free Membership to View

Typically the DMZ is designed as the first stop into any company that is connected to the Internet. Do not place any e-mail, databases or any other data that is critical to your company in this zone.

Place servers that you connect for authentication. Now when these devices connect back through the DMZ to say a database zone, create a network subnet with only those devices. This separates other internal systems from the external and provides a layered approach. Now, anyone needing to access say e-mail or other data (shares, files, etc) put them in another network off the DMZ. I always recommend firewalls at both sides of the DMZ and IDS systems external -- one in the DMZ, one in the Database zone and others more or less in all zones.

Security must be addressed as a layered approach. The first step is to filter all traffic before it enters the DMZ. So a router only letting in say port 80, 443 to the DMZ. Then the DMZ will only allow traffic such as any application in the DMZ e-mail, SMTP. Please no FTP, because it's too insecure.The DMZ should only allow valid traffic to the devices behind it.


For more info on this topic, please visit these SearchSecurity.com resources:
  • Best Web Links: Infrastructure and network security
  • SearchSecurity.com Glossary: DMZ
  • White paper: Best practices for Secure Development
  • This was first published in January 2004

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: