Modern DMZ designs

rockstar81

intetested in hearing how members have their DMZs set up for production and what equipment they use? It's an area I don't have any expirence in but am looking into. Any information most greatful.

networker050184

What are the requirements? Hard to say without knowing any details. There is usually one or more firewalls with tightened security rules for anything considered to be "DMZ."

Mooseboost

We setup DMZs for customers in various situations. The most common is public servers sitting in the DMZ. We typically will pass the traffic through to the DMZ with a very general security policy (WAN -> DMZ to lockout traffic to only the desired services, restrict management protocols to specific blocks, etc) and they will filter with a more granular security service on their side.

If you are running your own perimeter firewall you may play that a little differently. We don't have control over the customers network, just our device so our scope of what they do on the other side is a little limited.

rockstar81

Thank you for replies - it's basically to host a number of services - some would require AD access and others access to services on other servers on network.

Would having a reverse proxy with a firewall either side be considered safe in set up correct rather than moving everything to a dmz subnet?

When I say move everything to dmz I mean things that require access from outside

NotHackingYou

I prefer the isolated subnet design with a NAT behind a public IP.