“Many technical details” could be the short answer to this question. However, it makes sense to lift the discussion to following level:
- Purpose: Usually used at boundaries (network perimeter or internal network) in order to offer gateway connectivity services between differently trusted areas. Can also be used to build trust structures within the internal network. Purpose should be documented or definied in policies.
- Current configuration: Degree of virtualization, number of segments, connectivity on each layer, firewall rules, direction of connection establishment, protocol capabilities, available network services within a DMZ, proxies and gateways, applications and servers.
- Actual use of it: Currently involved applications, services and data (therefore need to understand classification of involved data and services).
- Expectation match (or degree of missmatch): Expectations of all involved stakeholders of setup and actual use should match if the intention is to maintain security or another important purpose. Maintaining consistency over the life-cycle of involved implementations requires governance oversight and thorough change management procedures across many involved components.
← What defines the character of a DMZ?