This double-layered security structure enables static routers to be configured in order to regulate data traffic between the networks as follows:
User located | Access to DMZ | Access to LAN | Access to internet |
…on the internet (WAN) | allowed | denied | - |
…on LAN | allowed | - | allowed |
…in DMZ | - | denied | denied |
While users from the LAN are able to access public networks as well as serves located in DMZ, internet users are only allowed access to the demilitarized zone. Data traffic coming from the DMZ is blocked by both firewalls.
Using firewalls from different manufacturers is also recommended. Otherwise, just one security gap is needed in order for both firewalls to be breached. In order to prevent attacks from spreading from compromised servers to other devices within the DMZ, additional firewalls are placed between these network components. Alternatively, a segmentation in the VLANs (Virtual Local Area Network) is employed for separating.