Technical implementation details of a DMZ

There are many ways how to implement a DMZ. Following details should be considered when building a DMZ:

  • Clarify the purpose of the DMZ first before choosing a particular design
  • Choose between a dual homed or single homed DMZ design
  • The number of network segments in a DMZ, e.g. external facing network, internal facing network, additional networks for dedicated purpose
  • Design how to do systems management of DMZ infrastructure and application servers, e.g. via dedicated management interfaces
  • How many switches to use (sharing hardware like switches for external and internal segments is a security risk – thanks André for this)
  • Decide which DMZ elements to virtualize and what to have physical
  • Which network or infrastructure services to implemented separately (reusing internal DNS, AD etc. is a security risk)
  • Design policies of how to use the DMZ and clarify ownership responsibilities
  • Design change management procedures and oversight responsibilities for the DMZ
  • etc.

Note: This list is not exhausting.
Note: A dual homed DMZ design has 2 firewalls (external and internal). Single homed DMZ designs have only 1 firewall (Quick and cheap approach, higher risk of exposure).

2016/02/05 © ACROSEC Inc.


Category: DMZ FAQ

← Technical implementation details of a DMZ