Q

Designing DMZs with various levels of access

I need some information on designing DMZs for my local users, customers, partners and application servers with different levels of access. I have more than 1,100 workstations on my LAN, and I want to define different levels of access for local users, too. I appreciate any guidance.

Typically the DMZ is designed as the first stop into any company that is connected to the Internet. Do not place any e-mail, databases or any other data that is critical to your company in this zone.

Place servers that you connect for authentication. Now when these devices connect back through the DMZ to say a database zone, create a network subnet with only those devices. This separates other internal systems from the external and provides a layered approach. Now, anyone needing to access say e-mail or other data (shares, files, etc) put them in another network off the DMZ. I always recommend firewalls at both sides of the DMZ and IDS systems external -- one in the DMZ, one in the Database zone and others more or less in all zones.

Security must be addressed as a layered approach. The first step is to filter all traffic before it enters the DMZ. So a router only letting in say port 80, 443 to the DMZ. Then the DMZ will only allow traffic such as any application in the DMZ e-mail, SMTP. Please no FTP, because it's too insecure.The DMZ should only allow valid traffic to the devices behind it.


For more info on this topic, please visit these SearchSecurity.com resources:
  • Best Web Links: Infrastructure and network security
  • SearchSecurity.com Glossary: DMZ
  • White paper: Best practices for Secure Development
  • This was first published in January 2004

    Dig deeper on DMZ Setup and Configuration

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close