There are many ways how to implement a DMZ. Following details should be considered when building a DMZ:
- Clarify the purpose of the DMZ first before choosing a particular design
- Choose between a dual homed or single homed DMZ design
- The number of network segments in a DMZ, e.g. external facing network, internal facing network, additional networks for dedicated purpose
- Design how to do systems management of DMZ infrastructure and application servers, e.g. via dedicated management interfaces
- How many switches to use (sharing hardware like switches for external and internal segments is a security risk – thanks André for this)
- Decide which DMZ elements to virtualize and what to have physical
- Which network or infrastructure services to implemented separately (reusing internal DNS, AD etc. is a security risk)
- Design policies of how to use the DMZ and clarify ownership responsibilities
- Design change management procedures and oversight responsibilities for the DMZ
Note: This list is not exhausting.
Note: A dual homed DMZ design has 2 firewalls (external and internal). Single homed DMZ designs have only 1 firewall (Quick and cheap approach, higher risk of exposure).
2016/02/05 © ACROSEC Inc.
← Technical implementation details of a DMZ