Our Blog

The importance of isolating segments of your security infrastructure in a manner that allows controlled communication between them cannot be emphasized enough.

A simple rule to follow that will provide much stronger security right away is this:

No outside device can talk to a device on the inside network directly.

So how does one accomplish what appears to be a complex task?  It's quite simple, actually - you put isolated networks into your security infrastructure that have limited communication with both the outside world and your internal network. This provides a buffer - or layer - between the outside world and the secure internal network. You control the limited communication by using a suitable enforcement device (firewall).

These types of networks are commonly referred to as DMZs (Demilitarized Zones). In a military sense, these are areas between opposing forces where no military activity is present. In the IT world, it describes something similar - a buffer zone that allows layered security.

In an ideal world, you would have a separate DMZ, with a separate switch, for each type of traffic allowed from the outside world. Often, resources and equipment requirements prevent this from being a reality. At the very least, each organization should have at least one device in an isolated network that acts as a relay for data going to or from the internal network.

Examples of this are mail relay servers, web servers that pull information from servers on the internal network (or, preferrably, another DMZ), and static web servers.

The primary goal is to isolate, as much as possible, the sacred internal network from the Internet.