Goals of DMZ Design
Goals of DMZ design
If you ask ten network architects about how to design a DMZ, they'll come back with ten different answers. While variety is the spice of life, as an industry we should have some generally accepted practices of DMZ design.
One of the core tenets of DMZ design is to segregate devices, systems, services and applications based on risk. The goal is to isolate risk, so if something goes bad and the Web server is hacked, it is essential to know what other devices the hacker would have easy access to. Beyond segregation by risk, four other common design approaches are separation by operating system, data classification schemes, trust levels or business unit.
If you look at recent audit and compliance requirements, you'll see that they include a growing number of specific technical design requirements. In some of the new requirements, we find the mandate to keep the Web and application tier separated from databases-a very good idea. We also see the move back to single purpose servers; for example, your Web server cannot also be your DNS server.