Provides different security levels for different resources, consider building a region called "Demilitarized Zone" (DMZ). DMZ can be understood as a special network area different from the external network or the intranet. DMZ usually places a public server that does not contain confidential information, such as web, mail, ftp, etc. This visitors from the outer network can access the services in DMZ, but it is impossible to come into contact with corporate confidential or private information stored in the intranet. Even if the server is destroyed in DMZ, it will not affect the confidential information in the intranet. When planning a network with DMZ, we can clarify the access relationship between each network, you can determine the following six access control policies.
1. The intranet can access the outer network inside the network clearly needs to freely access the external network. In this strategy, the firewall needs to perform source address conversion.
2. Instenette Access DMZ This policy is to facilitate internal network users to use and manage servers in DMZ.
3. The external network cannot access the intranet. It is clear that the internal network is stored in internal data, which does not allow users to access users.
4. The external network can access the server in DMZ DMZ itself is to provide services to the outside world, so the external network must be able to access DMZ. At the same time, the external network access DMZ needs to be converted from the firewall to the external address to the actual address of the server.
5.DMZ cannot access the intranet. It is clear that if this strategy is violated, it can further attacked important data to the intranet when the invader captured DMZ.
6.DMZ cannot access the external network This policy is also exception, such as placing the mail server in the DMZ, you need to access the external network, otherwise you will not work.
