Most organizations separate their i

Most organizations separate their internal systems from the Internet using a firewall. However, some systems and
services, such as web servers, need to be available outside the internal network. This can be accomplished with a
network segment called a demilitarized zone (DMZ), which places limited systems, applications and data in a
public-facing segment. Servers located in a DMZ minimize the exposure to attacks. Utilizing two packet filtering
routers and a bastion host, this approach creates the most secure firewall system because it supports network- and
application-level security while defining a separate DMZ network.
The DMZ functions as a small, isolated network for an organization’s public servers, bastion host information servers
and modem pools. Typically, DMZs are configured to limit access from the Internet and the organization’s private
network. Incoming traffic access is restricted into the DMZ network by the outside router, protecting the organization
against certain attacks by limiting the services available for use. Consequently, external systems can access only the
bastion host (along with its proxying service capabilities to internal systems) and possibly information servers in
the DMZ. The inside router provides a second line of defense, managing DMZ access to the private network, while
accepting only traffic originating from the bastion host. For outbound traffic, the inside router manages private
network access to the DMZ network. It permits internal systems to access only the bastion host and information
servers in the DMZ. The filtering rules on the outside router require the use of proxy services by accepting only
outbound traffic on the bastion host. The key benefits of this system are: