Ask the Expert

Placing your servers outside the DMZ

Our Web, FTP (file transfer protocol) and DNS (domain name system) servers are placed in a DMZ (demilitarized zone) and allowed access from the outside zone on only certain ports. If I keep the servers in the inside zone and then allow outside access to the ports, what is the difference? We practically use the same commands in Cisco PIX firewall to allow the ports for access from lower security zones to higher security zones.

Requires Free Membership to View

Good question. A good reason for placing these servers in a DMZ, rather than on the inside network, is to prevent attacks that may come from inside or outside your network. Studies have shown that a majority of security incidents are caused by insiders. Doesn't it make sense that you should have the same rules for inside and outside access? Another reason for segregating the servers to a DMZ is to help protect your internal network. For example, there are many attacks that now operate over Port 80, which you need open for your Web server. By putting the Web server in a DMZ, you could leave Port 80 open for the DMZ, but might be able to leave it closed for the internal network. If you had the server on that internal network, you couldn't close that port. You always want to deny everything and then allow as needed. By putting the servers in a DMZ, you have more granularity in applying that security axiom.
For more information on this topic, visit these other resources:
  • Best Web Links: Infrastructure and network security

  • Web Security Tip: Anatomy of a hack

  • Featured Topic: Security products and tools reviews
  • This was first published in May 2003

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: