Editing DMZ (computing) (section)

==Architecture==
There are many different ways to design a network with a DMZ. Two of the most basic methods are with a single [[firewall (networking)|firewall]], also known as the three-legged model, and with dual firewalls, also known as back to back. These architectures can be expanded to create very complex architectures depending on the network requirements.

===Single firewall===
[[File:DMZ network diagram 1 firewall.svg|thumb|right|200px|Diagram of a typical three-legged network model employing a DMZ using a single firewall.]]

A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the [[ISP]] to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network.
The zones are usually marked with colors -for example, purple for LAN, green for DMZ, red for Internet (with often another color used for wireless zones).

===Dual firewall===
[[File:DMZ network diagram 2 firewall.svg|thumb|right|200px|Diagram of a typical network employing DMZ using dual firewalls.]]

The most secure approach, according to Colton Fralick,<ref name="jacobs">{{cite book | url=https://books.google.com/books?id=2eQ2yxTA3tUC&pg=PA296 | title=Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance | publisher=John Wiley & Sons | author=Jacobs, Stuart | year=2015 | page=296| isbn=9781119101604}}</ref> is to use two firewalls to create a DMZ. The first firewall (also called the "front-end" or "perimeter"<ref>{{cite web|title=Perimeter Firewall Design|url=https://technet.microsoft.com/en-us/library/cc700828.aspx|work=Microsoft Security TechCenter|date=29 June 2009 |publisher=Microsoft Corporation|access-date=14 October 2013}}</ref> firewall) must be configured to allow traffic destined to the DMZ only. The second firewall (also called "back-end" or "internal" firewall) only allows traffic to the DMZ from the internal network.

This setup is considered<ref name="jacobs"/> more secure since two devices would need to be compromised.  There is even more protection if the two firewalls are provided by two different vendors, because it makes it less likely that both devices suffer from the same security vulnerabilities.  For example, a security hole found to exist in one vendor's system is less likely to occur in the other one. One of the drawbacks of this architecture is that it's more costly, both to purchase and to manage.<ref>Zeltzer, Lenny (April, 2002). [https://zeltser.com/firewalls-for-multitier-applications "Firewall Deployment for Multitier Applications"]</ref> The practice of using different firewalls from different vendors is sometimes described as a component of a "[[Defense in Depth (computing)|defense in depth]]"<ref name="sans">{{cite web | url=https://www.sans.org/reading-room/whitepapers/firewalls/designing-dmz-950 | title=Designing a DMZ | publisher=SANS Institute | date=2001 | access-date=11 December 2015 | author=Young, Scott | pages=2}}</ref> security strategy.