Demilitarized Zone (DMZ)

The demilitarized zone (DMZ) is made up of one or more isolated LAN networks that contain shared server resources, such as web, DNS, and e-mail servers. These servers are available to the outside world. These shared servers are often called bastion hosts, bastion servers, or even sacrificial hosts. Bastion hosts must be secured and receive highest priority security maintenance because of their vulnerability to the outside world and increased likelihood of attacks. A bastion server typically runs only those specific services being shared, and all other services will be stopped or turned off.

The firewall must be configured to allow quite loose, but regulated, access to the DMZ from the outside network while at the same time protecting the inside network. Inside network users need access to the server resources in the DMZ and are typically allowed limited access, possibly restricting access to only those sessions originating within the inside network.

Generally, the firewall will be configured to prevent access from the outside to the inside, possibly limiting access to those sessions originating from the inside network. Other, unsolicited, access from the outside would be blocked in most cases. One common exception might be the e-mail server(s) if it resides in the inside network instead of the DMZ. Securing this type of connection is covered in the firewall chapters.