3.3.3. Single DMZ firewall architecture DMZ is the abbreviation of "demilitarized zone", the
Chinese name is "isolation zone", also known as
"demilitarized zone". It is a buffer zone between the non-
security system and the security system to solve the problem
that the external network cannot access the internal network
server after installing the firewall, which is not conducive to
the deployment of Web, E-mail and other network services.
This buffer zone is located in a small network area between
the internal network and the external network, in which some
server facilities that must be made public can be placed, such
as corporate Web servers, FTP servers and forums. With such
a DMZ zone, the internal network is more effectively
protected, as this network deployment provides an additional
barrier similar to a security gate to attackers than a typical
firewall solution.
Single DMZ firewall structure of the shield router and the
bastion host connection to be on the same network segment,
to ensure that data across the firewall must first pass through
the shield router and the bastion host these two security units,
single DMZ firewall structure of the bastion host is a dual-
homed host, and the DMZ zone becomes an additional layer
of security between the external network and the internal
network. The bastion host can act as an application gateway
or as a proxy server. Since the bastion host is the only host
that can access the internal network directly from the external
network, it makes the internal host protected.
3.3.4. Dual DMZ firewall architecture If there is a requirement in the internal network that some
information can be shared by providing direct access to the
outside, this can be solved by creating two DMZ zones in the
firewall. One for the outer DMZ zone and one for the inner
DMZ zone. Place some public information servers like Web
and FTP in the outer DMZ zone, and these server systems
themselves act as outer bastion hosts. For packets coming
from the external network, the outer shield router is used to
prevent external attacks and manage access to the outer DMZ,
while the inner shield router allows only packets whose
destination address is the bastion host to be accepted, and is
responsible for access from the inner DMZ to the internal
network. For packets to be sent to the external network, the
internal shield router manages access from the bastion host to
the DMZ network. The firewall system allows sites on the
internal network to access only the bastion host, and the shield
router only accepts packets from the bastion host going to the
external network.
The advantage of deploying a firewall with DMZ is that an
intruder must break through several different devices, such as
external shield router, internal shield router, and bastion host,
45
in order to attack the internal network, which makes it much
more difficult to attack, and accordingly the security of the
internal network is greatly enhanced, but the construction cost
is correspondingly the highest.
