Guidelines on Securing Public Web Servers

8.1.2 Demilitarized 

Zone 

A Demilitarized Zone (DMZ) can be defined as a host or network segment inserted as a 

 neutral zone  between an organization's private network and the Internet.  It prevents outside 

users of the Web server from gaining direct access to an organization's internal network 

(intranet).  A DMZ mitigates the risks of locating a Web server on an internal network or 

exposing it directly to the Internet.  It is a compromise solution that offers the most benefits 

with the least amount of risk for most organizations.  The DMZ allows access to the resources 

located within it to both internal and external users.  There are a wide variety of DMZ 

configurations, each with its own strengths and weaknesses.   

In creating a DMZ, an organization will place a firewall between its border router and its 

internal network (in some configurations the border router itself may act as a basic firewall).  

The new segment of network that is created by this action is where a Web server is placed 

along with other network infrastructure components and servers that need to be externally 

accessible.  Figure 8.1 illustrates an example of a simple DMZ using a router with access 

controls lists (ACLs) to restrict certain types of network traffic to and from the DMZ. 

Figure 8.1:

Basic DMZ

This type of DMZ is a lower cost approach.  That is generally only appropriate for small 

organizations that face a minimal threat.  The basic weakness in the approach is that while the 

router is able to protect against most network attacks it is not  aware  of the HTTP and thus 

cannot protect against application layer attacks aimed at the Web server.  A superior approach 

is to add a second firewall in between the Internet and the DMZ.  This offers better protection 

to the DMZ.  An example of this type of implementation is shown in Figure 8.2. 

65