How to Design a Secure DMZ - Page 5

Level 4 DMZ designs

Level 4 DMZ designs are where things start getting more complicated. A Level 4 scenario would most likely include deploying multiple firewall pairs in parallel along your border rail, and spreading your DMZs out among them, segregated by your choice of metrics. Most people choose to separate the firewalls into business or functional groups, while others like to separate them by trust levels.

Best practices dictate building separate firewall stacks based on Service Level Agreements (SLAs) and data classification. This creates a situation where there is an entirely separate firewall stack for PCI, separate firewalls for user services (such as Web browsing, FTP, e-mail, patching, etc.) and separate firewall stacks for business services. Consider business services placed in DMZs by SLA: 90 percent, 98 percent and 99.9 percent make for three good goals. Designing DMZs by SLA can streamline DMZ management and reduce business disruptions.


In closing, it's imperative to place as much rigor as possible into the planning and design process. Assume that once the DMZ is live, it may not be so easy to fix major flaws in the design. Internal due diligence can be used as a way to establish strong lines of communication with other stakeholders-whether they are other IT folks, business owners, partners or managers. It can raise your profile within your company as a thoughtful risk manager and strategic thinker. And, perhaps most important, it will invite feedback outside your frame of reference. If one conversation with one person has a significant impact on DMZ design, wouldn't you want to have that conversation before you design it?

Michael Hamelin is Chief Security Architect at Tufin Technologies. Bringing more than 16 years of security domain expertise to Tufin, Michael has deep, hands-on technical knowledge in security architecture, penetration testing, intrusion detection, and anomalous detection of rogue traffic. Michael has authored numerous courses in information security and worked as a consultant, security analyst, forensics lead, and security practice manager. Michael is also a featured security speaker around the world, widely regarded as a leading technical thinker in information security. Michael previously held technical leadership positions at VeriSign, Cox Communications and Resilience. Prior to joining Tufin, Michael was the principal network and security architect for ChoicePoint, a LexisNexis Company. Michael received Bachelor's degrees in Chemistry and Physics from Norwich University and did his graduate work at Texas A&M University. He can be reached at