How to Design a Secure DMZ

By Michael Hamelin  |  Posted 2010-09-01 Print this article Print

One core tenet of demilitarized zone (DMZ) design is to segregate network devices, systems, services and applications based on risk. Because of this, it's crucial to carefully plan and design a DMZ because it may not be easy to fix major flaws in the DMZ's design once it's live. Here, Knowledge Center contributor Michael Hamelin explains how to design a secure DMZ for your enterprise.

We have come a long way when it comes to DMZs (demilitarized zones). It's no longer a question of if your organization needs a DMZ, but rather, it's now a question of how you should design one.

In computer security, a DMZ is a physical or logical subnetwork that contains and exposes an organization's external services to a larger, untrusted network-usually the Internet. The original DMZ designs included a simple network separated from the internal network, where everything that needed access to the Internet was placed.

Today, there are as many DMZ designs as there are vehicles on the road. You have industrial trucks designed to simply transport goods as cheaply as possible. You have economy cars designed to save money. And you have exquisite Italian sports cars that are sure to make your friends jealous (and fast enough that you always arrive with plenty of extra time for a nice cup of espresso). DMZ designs are a lot like cars: there are many varieties which go by a lot of different names but they all serve the same purpose.

There are hundreds of names that we use for networks today but, essentially, there are internal networks, external networks and DMZs. They may be called partner nets, vendor zones, internal DMZs or security zones. But the reality is that they are all DMZs with a mix of ownership devices, connectivity and risk levels.

Michael Hamelin Michael Hamelin is Chief Security Architect at Tufin Technologies. Bringing more than 16 years of security domain expertise to Tufin, Michael has deep, hands-on technical knowledge in security architecture, penetration testing, intrusion detection, and anomalous detection of rogue traffic. Michael has authored numerous courses in information security and worked as a consultant, security analyst, forensics lead, and security practice manager. Michael is also a featured security speaker around the world, widely regarded as a leading technical thinker in information security. Michael previously held technical leadership positions at VeriSign, Cox Communications and Resilience. Prior to joining Tufin, Michael was the principal network and security architect for ChoicePoint, a LexisNexis Company. Michael received Bachelor's degrees in Chemistry and Physics from Norwich University and did his graduate work at Texas A&M University. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel