Four Levels of DMZ Design

By Michael Hamelin  |  Posted 2010-09-01 Print this article Print

Four levels of DMZ design

Let's break DMZ design into four levels, with Level 1 being the simplest design and subsequent levels providing more segmented security.

When we want to build a basic DMZ, we start with a single segment of the firewall. Let's call this Level 1 in our DMZ design book. This design is fine if you have a few servers that need Internet access. But if you do any e-commerce transactions, you have already outgrown this design.

Many people make the mistake of keeping this design, placing the Web and application servers in the DMZ and the databases on the internal network. This is no longer acceptable. As database attacks become more targeted, the risk of having the database on the internal network requires a more sophisticated design.

Level 2 DMZ designs

A Level 2 DMZ would consist of multiple DMZ networks off of the firewall. This design is a substantial improvement over a Level 1 design. It allows traffic rules to be written between each DMZ for control and segregation. A good start is having separate DMZs for Web and application servers, databases, authentication services, VPNs, partner connections, e-mail and mobile services. This is very feasible today; most firewalls can easily handle tens of interfaces and multiple VLANs on each interface.

Michael Hamelin Michael Hamelin is Chief Security Architect at Tufin Technologies. Bringing more than 16 years of security domain expertise to Tufin, Michael has deep, hands-on technical knowledge in security architecture, penetration testing, intrusion detection, and anomalous detection of rogue traffic. Michael has authored numerous courses in information security and worked as a consultant, security analyst, forensics lead, and security practice manager. Michael is also a featured security speaker around the world, widely regarded as a leading technical thinker in information security. Michael previously held technical leadership positions at VeriSign, Cox Communications and Resilience. Prior to joining Tufin, Michael was the principal network and security architect for ChoicePoint, a LexisNexis Company. Michael received Bachelor's degrees in Chemistry and Physics from Norwich University and did his graduate work at Texas A&M University. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel