eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
A demilitarized zone (DMZ) network is a subnetwork that businesses use to protect their company’s local area network (LAN) and data from external sources. It’s important to prepare the network and firewalls in advance, then follow seven major steps to configure your DMZ’s protocols and rules. There are also some best practices for security and networking teams to remember while you configure your DMZ network.
Table of Contents
Your business and security teams should make sure you plan appropriately before configuring a demilitarized zone network. We recommend determining in advance every service you want to host, how many firewalls you plan to implement, and which traffic you want to allow and block.
Common services that businesses host within a DMZ include:
A standard external firewall routes external traffic to the DMZ, but some businesses choose to add an internal firewall that further divides the DMZ and the LAN. This increases security for your network in case a threat actor does manage to breach the DMZ. If they want to make it into the LAN, they’ll also need to breach the internal firewall.
While there are some basic firewall rules you can implement to route traffic to and from your DMZ, your business may want to get more specific depending on the resources hosted in the DMZ. Configure rules depending on your business-wide security policies and the vulnerabilities you already know exist.
When your networking, IT, or security teams begin the setup process for a DMZ, you’ll first handle basic tasks like choosing a host machine and naming the DMZ. Then you’ll need to configure the appropriate protocols, basic firewall rules, and any additional firewalls. Testing and audits are also important because they help your team improve the DMZ in the future.
Before you configure a DMZ, you need to determine on which machine you’ll host it. Because the DMZ is a separate subnetwork from the business’s local area network, the server on which a DMZ resides is often different from the computer hosting your private LAN. This will also improve security, since the data and applications within the LAN will be in a physically separate place from the DMZ and the external resources hosted in it.
Select a server that has specifications approved by your IT and networking teams. Additionally, choose a server with hardware bandwidth and resources to support the DMZ. Configure your router to route internet traffic to the specific interface you specify for the DMZ.
You’ll need to give the DMZ a name and specify its IP address, which should be a static address rather than dynamic. Navigate to the control or configuration panel of your specific firewall software and name the DMZ wherever you’re prompted to do so. I recommend choosing a name that’s intuitive and easy for your security team to remember.
Also, if you haven’t already, determine the IP addresses for each external-facing resource that resides in the DMZ, like web servers and email servers. Typically, these IP addresses are public, so they can be accessed from the public internet. If you want them to be private, you’ll have to make some more advanced adjustments.
If you’re not sure how to best specify or allocate IP addresses for your DMZ or its resources, check out this guide to IP addresses for best practices and recommendations.
Dynamic Host Configuration Protocol (DHCP) manages the ways computers use and share IP addresses. The way you perform this step will depend on your specific DMZ configuration. If you want to use a DHCP server that you already have, don’t enable DHCP for the DMZ. If you want to enable a DHCP server on the appliance where the DMZ is installed, give it a starting and ending IP address.
You’ll also need to give the DNS server and default gateway an IP address. The DNS server forwards traffic to the correct location by translating it into the appropriate IP address. The default gateway is a router on the internet-facing interface of the firewall, and it directs traffic to the internet.
If you need to support IPv6 on your DMZ, you’ll usually have to configure Internet Protocol version 6 (IPv6) separately. This process will vary depending on your hardware, so follow the instructions given by your specific vendor. Sometimes IPv4 is enabled as the default configuration for networking equipment because it’s compatible with more systems, but IPv6 is the newest standard and is preferable, so many businesses will need to support it.
/64 (64 bits) is the default prefix length for an IPv6 address prefix, but there are other options, like /60 or /56. Prefix length affects the network’s host capacity. It also affects network routing — if you have a longer prefix length, you have more specific data for routing traffic, which is more efficient.
At this point, you’ll need to configure any firewall rules that permit inbound network traffic to connect to the web server within the DMZ. This will vary depending on your business’s needs, but we recommend your team configure the external firewall to only connect traffic to ports associated with the resources you’ve specified within the DMZ. For example, traffic headed to the email server’s specific port is permitted. All other requests should be blocked.
If external traffic is attempting to access TCP port 443, only allow Hypertext Transfer Protocol Secure (HTTPS). Allowing HTTP traffic is a risk because it’s the unsecured version of the internet protocol, and requests transmitted with HTTP aren’t encrypted.
Learn more about configuring firewall rules, including a simple firewall rule example and how to manage your business’s rules over time.
If your business has decided to use a dual firewall strategy for your DMZ, you’ll want to configure a firewall between the DMZ and the private LAN once the DMZ is set up. An internal or backend firewall processes traffic that attempts to travel from the DMZ to the internal LAN. This firewall will likely have more strict rules than the external firewall.
To set up a software-based internal firewall, install and configure a firewall application on the server hosting the DMZ. If you want to use an appliance, connect the hardware firewall to the server hosting the DMZ, using a cable.
Only permit traffic to enter the LAN if the traffic is coming from the resources your business has placed within the DMZ. Don’t permit requests if they originate from the external traffic in the DMZ. You could use an allowlist or whitelist here, so only a few addresses are specified.
If you’re debating what type of firewall to use, check out our guide to firewall types next.
After you’ve set up the initial network, test whether or not it works. Your networking and security teams need to know whether the firewall rules you’ve configured are properly accepting and blocking traffic.
Additionally, make sure you test the dual firewall if you’ve configured that between the DMZ and the internal LAN. Make sure the firewall rules or whitelist work so only approved resources within the DMZ are able to transmit requests to the internal LAN.
Lastly, run regular firewall audits to ensure the DMZ continues working as you initially planned. While testing is a good practice, a full firewall audit will reveal other areas you might need to reconfigure or increase the network’s security.
Read more about performing a full network audit if your business needs to test how well the network performs.
When you’re configuring a demilitarized zone, keep in mind that all processes should be carefully documented so future networking and security teams can more easily update network controls. Additionally, consider using a dual firewall strategy if you need the extra security, and make sure your security teams update your DMZ as needed.
Keep easy-to-understand records of DMZ setup processes so your security, networking, or IT teams can access them. If one of the employees in charge of the configuration leaves the company, their coworkers should still have documentation that explains how the DMZ was configured and which firewall rules are currently in place.
If you’re on the fence about installing both an external and internal firewall, and you’re hosting a lot of sensitive applications and resources within your private LAN, consider the dual firewall approach. Having a firewall between your DMZ and LAN helps increase security in case a threat actor does indeed manage to breach the DMZ.
You may need to change port and firewall rule settings if your business discovers additional security needs or an audit reveals misconfigurations and vulnerabilities. Create a schedule for reviewing updates so the DMZ can continue to meet security expectations as your organization’s needs change.
Setting up your business’s DMZ depends somewhat on your specific networks, appliances, and servers, but there are general setup principles and best practices you should follow. DMZ network configurations may also change over time as your organization decides which resources and servers it wants to host on which network. If you set up your team for flexibility, you’ll be able to adjust more quickly when you have to reconfigure DMZs and private LANs.
If your business is considering other security configurations or best practices for your networks, read our guide to securing your business network next.
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday