DMZ (Demilitarized Zone)

The Concept of Isolation

Firewall systems allow for the definition of access rules between two networks. However, in practice, companies generally have several subnetworks with different security policies. This is why it is necessary to set up firewall architectures that isolate a company's different networks. This is called "network isolation".

DMZ Architecture

While some machines of the internal network need to be externally accessible (web servers, e-mail servers, FTP servers), sometimes it is necessary to create a new interface to a separate network that is accessible both from the internal network and externally without the risk of compromising company security. The term "demilitarised zone" or DMZ refers to this isolated zone that hosts the applications made available to the public. The DMZ acts as a "buffer zone" between the network that needs protecting and the hostile network.

The servers in the DMZ are called "bastion hosts" because they act as an outpost in the company's network.

The security policy for the DMZ is generally the following:

• Traffic from the external network to the DMZ is autorised
• Traffic from the external network to the internal network is prohibited
• Traffic from the internal network to the DMZ is autorised
• Traffic from the internal network to the external network is authorised
• Traffic from the DMZ to the internal network is prohibited
• Traffic from the DMZ to the external network is denied

Thus, the DMZ possesses an intermediate security level that is not high enough for storing critical company data.

It should be noted that DMZs can be set up internally in order to isolate the internal network with varying levels of protection and avoid internal intrusions.