DMZ Design Fundamentals

DMZ design, like security design, is always a work in progress. As in security planning and analysis, we find DMZ design carries great flexibility and change potential to keep the protection levels we put in place in an effective state.

The ongoing work is required so that the system’s security is always as high as we can make it within the constraints of time and budget, while still allowing appropriate users and visitors to access the information and services we provide for their use.

You will find that the time and funds spent in the design process and preparation for the implementation are very good investments if the process is focused and effective; this will lead to a high level of success and a good level of protection for the network you are protecting.

Design of the DMZ is critically important to the overall protection of your internal network—and the success of your firewall and DMZ deployment.The DMZ design can incorporate sections that isolate incoming VPN traffic, Web traffic, partner connections, employee connections, and public access to information provided by your organization.

Design of the DMZ structure throughout the organization can protect internal resources from internal attack. As discussed in the security section, much of the risk of data loss, corruption, and breach exists inside the network perimeter. Our tendency is to protect assets from external harm but to disregard the dangers that come from our own internal equipment, policies, and employees.

These attacks or disruptions do not arise solely from disgruntled employees. Many of the most damaging conditions occur because of inadvertent mistakes made by well-intentioned employees. Each and all of these entry points is a potential source of loss for your organization and ultimately can provide an attack point to defeat your other defenses.

Additionally, the design of your DMZ will allow you to implement a multilayered approach to securing your resources that does not leave a single point of failure in your plan. This minimizes the problems and loss of protection that can occur because of misconfiguration of rule sets or access control lists (ACLs), and reduces the problems that can occur due to hardware configuration errors.

Proper DMZ design, in conjunction with the security policy and plan developed previously, allows for end-to-end protection of the information being transmitted on the network. The importance of this capability is explored more fully later in the chapter, when we review some of the security problems inherent in the current implementation of TCP/IPv4 and the transmission of data.

The use of one or more of the many firewall products or appliances currently available will most often afford the opportunity to block or filter specific protocols and protect the data as it is being transmitted. This protection may take the form of encryption and can use the available transports to protect data as well.

Additionally, proper use of the technologies available within this design can provide for the necessary functions previously detailed in the concepts of AAA and CIA, using the multilayer approach to protection we discussed in earlier sections. This need to provide end-to-end security requires that we are conversant with and remember basic network traffic patterns and protocols.

Another of the benefits of using a DMZ design that includes one or more firewalls is the opportunity to control traffic flow into and out of the DMZ much more cohesively and with much more granularity and flexibility. When the firewall product in use (either hardware or software) is a product designed above the homeuse level, the capability usually exists to control traffic flowing in and out of the network or DMZ through packet filtering based on port numbers, and allow or deny the use of entire protocols.

For instance, the rule set might include a statement that blocks communication via ICMP, which would block protocol 1. A statement that allowed IPSec traffic where it was desired to allow traffic using ESP or AH would be written allowing protocol 50 for ESP or 51 for Authentication Header (AH). (For a listing of the protocol IDs, visit

Remember that like the rule of security that follows the principle of least privilege, we must include in our design the capability to allow only necessary traffic into and out of the various portions of the DMZ structure.