When you're designing a corporate firewall system, you must decide whether to implement a demilitarized zone (DMZ). A DMZ is a barrier between the Internet and a company's intranet and contains a firewall and proxy server, which can be on separate servers or the same server. A properly designed and implemented DMZ reduces Internet-related security risks, such as the possibility of Denial of Service (DoS) attacks, that affect corporate servers. However, an incorrectly designed DMZ can create administrative and financial overhead. The following two main principles of DMZ design aren't dependent on which firewall software you use:
- You must split services between a DMZ and private network, and a firewall should allow communication only between DMZ and private network hosts that run corresponding services. For example, inbound Web cache should communicate only with Web servers; SMTP relays should communicate only with corporate mail servers; and public DNS should communicate only with private DNS. If you can't split your services, put all the services behind the firewall.
- DMZ hosts are external to the private network (i.e., they act like any computer on the Internet). Therefore, user authentication should never cross the firewall from the private network to the DMZ or vice versa.