1. DMZ stands for Demilitarized Zone. It is a network subdivision where you allow non trusted network traffic. IE. External traffic. Ideally it should have NO contact with the internal network. However that is not the case in most companies. Most companies allow very limited contacts with an internal network, suck as a database backend server.
2. DMZ best practices: * Ideally a DMZ should be behind a separate firewall from the internal segment. * If the above is not possible, a third or fourth interface off of an existing firewall is best. * The servers in the DMZ (usually a web server or FTP server) should be locked down as tight as possible without losing functionality. * Allow only those ports that are necessary to come in to the DMZ. Do not make blanket rules. There should be no rule like: "From Any to DMZ using X ports". All rules should be server specific. So if you have an FTP server only FTP should be allowed to that server. * Ideally there should be no way from the DMZ to the internal network. * All servers in the DMZ should be stand alone. No domain members. * If you must allow access to the internal network from the DMZ then limit the ports and do server to server rules rather than blanket rules for the DMZ. * Limit access from the internal network to the DMZ to only those ports that are necessary. Remember that these are just guidelines. Every situation is different. -Kit >>-----Original Message----- >>From: Gerard Fremaint [mailto:[EMAIL PROTECTED]] >>Sent: Thursday, April 04, 2002 6:39 AM >>To: [EMAIL PROTECTED] >>Subject: DMZ Stuff >> >> >>I have 2 questions : >>1) What is DMZ ? >>2) What is the better way to implement it ? >> >>
