Designing the Demilitarized Zone

An important part of a large corporate network is the DMZ. This section describes what a DMZ is used for, and later sections in this chapter give examples of how a DMZ is used.

A demilitarized zone (DMZ) is a network that permits the egression of the Internet into a private network, while still maintaining the security of that network. The DMZ gives a business the ability to use the Internet as a cost-saving medium, while also allowing it to have a presence on the Internet. The DMZ saves money by utilizing the existing infrastructure of the Internet along with VPNs, thereby saving the wide-area connection costs of leasing communications lines. Essentially, the DMZ is a network that is in between a private network and the Internet.

The DMZ contains devices such as servers, routers, and switches that maintain security by preventing the internal network from being exposed on the Internet. The servers that reside within the DMZ usually consist of proxy server arrays, which the network uses to provide Web access for internal users; external Internet Information Services (IIS), which an organization can use to promote its presence on the Internet; and any VPN servers that are used to provide secure connections for remote clients. For more information about VPNs, see "VPN Security" and "L2TP over IPSec VPNs" later in this chapter.

An example of a DMZ is shown in Figure 7.2. The device on the edge of the DMZ is a router Preferably, the speed of the connection exposed to the Internet is at least DS3, or 45 megabits per second (Mbps) for a large corporation. The connection between the router and the servers in the DMZ can be any high-speed LAN, but gigabit Ethernet or ATM are recommended if you expect heavy Internet traffic.

You can use a Windows 2000 Routing and Remote Access router on a DMZ interface for small- to medium-sized networks. You can enable packet filtering on the Internet interfaces to protect against unwanted traffic and provide security.