The Demilitarised Zone (DMZ) is a semi-trusted network segment between the public internet and an organisation’s internal network, hosting web servers, FTP services, email relays, and DNS. Despite its protective design, protocols operating within it carry vulnerabilities that attackers exploit to pivot into the internal network.
DMZ Architecture Options
Method
Description
Layered DMZ
Systems placed between two firewalls with different rule sets; internet traffic reaches DMZ but not internal segments
Multi-Interface Firewall
Single firewall with a third interface managing traffic between internet, DMZ, and internal network. Currently the preferred design.
Commonly Permitted DMZ Protocols
Protocol
Port(s)
FTP
TCP 20, 21
SMTP
TCP 25
DNS
TCP/UDP 53
HTTP
TCP 80
HTTPS
TCP 443
SSH (management)
TCP 22
Internal vs External DMZ Protocol Attacks
Internal attacks exploit protocols communicating between DMZ systems — e.g., compromising a web server to pivot to a database server over a trusted channel.
External attacks exploit protocols from the DMZ reaching into the internal corporate network — pivoting from a compromised DMZ host into the intranet.
Countermeasures
Apply all available patches against known DMZ protocol exploits promptly.
Deploy an Intrusion Prevention System (IPS) on DMZ segments.
Maintain a robust security policy and sound audit trail.
Isolate the DMZ — never connect it directly to the internal network.
Keep no credentials, vital resources, or sensitive internal data in the DMZ.
Files created in the DMZ must be reviewed by an administrator before migration to the internal network.
CISSP Made Easy 