Introduction

A demilitarized zone (DMZ) is a network segment that lies between the internal network and the Internet. Consider a DMZ segment as a type of "no man's land" where anyone or anything unfortunate enough to find its way to that segment is considered free game for attack. You must assume that any network host placed on a DMZ segment will be attacked and compromised. Maybe not today, maybe not tomorrow, but some day.

A DMZ segment can have public or private addresses. If you have two ISA Server computers, or an ISA server and another firewall, you can create a "back-to-back DMZ." The back-to-back DMZ can have public or private network addresses. When you use public addresses, your DMZ segment becomes a direct extension of the Internet. The major difference between the Internet and your public address DMZ segment is that the hosts on the DMZ segment are under your administrative control.

The private address DMZ segment isn't considered a direct extension of the Internet, the reason being that a network address translator or proxy has to be interposed between the private address DMZ hosts and the Internet. The private address DMZ segment is more secure because there is no way to directly route packets to and from the Internet; the packets must traverse the NAT or proxy.

Configuring a Trihomed DMZ

ISA Server supports the trihomed DMZ configuration in addition to the back-to-back DMZ setup. The trihomed DMZ has the following interfaces:

• A public interface with a...