Problem solve Get help with specific problems with your technologies, process and projects.

Role and placement of a DMZ on a network

Referencing your Q&A from Aug. 29, what role does a demilitarized zone (DMZ) play on a network? Where is it placed?

Let's handle the placement first. The DMZ is placed in conjunction with your firewall. If you have a dual-bastion type firewall, the DMZ is between the bastion hosts that make up the firewall. If you have a single firewall machine, the DMZ is on an interface of the firewall that is separate from the rest of the network that it is protecting. The main purpose for a DMZ is to provide a place for systems on your network that need to have less protection than the rest of your systems. Examples of such systems include those that must be able to be seen by the rest of the Internet, such as Web and e-mail servers. The DMZ segment of your network must use public IP addressing, whereas the rest of your network can use private IP addresses using Network Address Translation in the firewall to allow communications. The SANS Institute has a paper entitled Designing a DMZ that provides much more information on this topic.

This was last published in November 2001

Dig Deeper on Enterprise network security