Modern DMZ designs

rockstar81rockstar81 Member Posts: 151
intetested in hearing how members have their DMZs set up for production and what equipment they use? It's an area I don't have any expirence in but am looking into. Any information most greatful.


  • networker050184networker050184 Mod Posts: 11,962 Mod
    What are the requirements? Hard to say without knowing any details. There is usually one or more firewalls with tightened security rules for anything considered to be "DMZ."
    An expert is a man who has made all the mistakes which can be made.
  • MooseboostMooseboost Senior Member Member Posts: 775 ■■■■□□□□□□
    We setup DMZs for customers in various situations. The most common is public servers sitting in the DMZ. We typically will pass the traffic through to the DMZ with a very general security policy (WAN -> DMZ to lockout traffic to only the desired services, restrict management protocols to specific blocks, etc) and they will filter with a more granular security service on their side.

    If you are running your own perimeter firewall you may play that a little differently. We don't have control over the customers network, just our device so our scope of what they do on the other side is a little limited.
    2020 Certification Goals: OSCE GXPN
  • rockstar81rockstar81 Member Posts: 151
    Thank you for replies - it's basically to host a number of services - some would require AD access and others access to services on other servers on network.

    Would having a reverse proxy with a firewall either side be considered safe in set up correct rather than moving everything to a dmz subnet?

    When I say move everything to dmz I mean things that require access from outside
  • NotHackingYouNotHackingYou Member Posts: 1,460 ■■■■■■■■□□
    I prefer the isolated subnet design with a NAT behind a public IP.
    When you go the extra mile, there's no traffic.
Sign In or Register to comment.