The Demilitarised Zone (DMZ) is a semi-trusted network segment between the public internet and an organisation’s internal network, hosting web servers, FTP services, email relays, and DNS. Despite its protective design, protocols operating within it carry vulnerabilities that attackers exploit to pivot into the internal network.

DMZ Architecture Options

Method	Description
Layered DMZ	Systems placed between two firewalls with different rule sets; internet traffic reaches DMZ but not internal segments
Multi-Interface Firewall	Single firewall with a third interface managing traffic between internet, DMZ, and internal network. Currently the preferred design.

Commonly Permitted DMZ Protocols

Protocol	Port(s)
FTP	TCP 20, 21
SMTP	TCP 25
DNS	TCP/UDP 53
HTTP	TCP 80
HTTPS	TCP 443
SSH (management)	TCP 22

Internal vs External DMZ Protocol Attacks

• Internal attacks exploit protocols communicating between DMZ systems — e.g., compromising a web server to pivot to a database server over a trusted channel.
• External attacks exploit protocols from the DMZ reaching into the internal corporate network — pivoting from a compromised DMZ host into the intranet.

Countermeasures

• Apply all available patches against known DMZ protocol exploits promptly.
• Deploy an Intrusion Prevention System (IPS) on DMZ segments.
• Maintain a robust security policy and sound audit trail.
• Isolate the DMZ — never connect it directly to the internal network.
• Keep no credentials, vital resources, or sensitive internal data in the DMZ.
• Files created in the DMZ must be reviewed by an administrator before migration to the internal network.