What Ip Address is typical for a DMZ

chueymtz · ‎06-14-2023

I am trying to setup a dmz (have never done this before) I wanted to know what is best practice to use for ip address scheme. Also, am i understanding correctly, the port on the firewall would be configured for DMZ and from there I would attach a server and other applications that I want on that dmz, is that correct?

Flavio Miranda · ‎06-14-2023

Hi

There is not rule for DMZ ip address scheme. You can use any addressing you want. And there´s no rule for firewall interface either.

People usually put the name DMZ in order to better identify but it can be any name. What matters on the firewall interface is the security level. Usually we use intermediate security level like 50 or 70.

The DMZ basically is a segment of the network that can be connected from the inside network and from the outside network (internet).

We place there HTTP servers, Mail servers, VPN gateways, etc. Any service that can be consumed from inside and outside.

M02@rt37 · ‎06-14-2023

Hello @chueymtz,

As concerned IP scheme:

It's recommended to use a separate subnet for the DMZ network. This ensures logical isolation between the DMZ and your internal network. Assign public IP addresses to the servers or services in the DMZ. These public IP addresses should be routable and accessible from the internet. Use private IP addresses for the internal network and configure NAT (Network Address Translation) on the firewall to map the public IP addresses of the DMZ servers to their corresponding private IP addresses. Implement strict firewall rules to control inbound and outbound traffic between the DMZ, internal network, and the internet. Only allow necessary protocols and ports for the services hosted in the DMZ.

As concerned DMZ "Configuration":

The firewall acts as the boundary between your internal network and the DMZ. Configure the firewall to allow incoming traffic from the internet to reach the DMZ servers, and control outgoing traffic from the DMZ to the internet.

Most firewalls provide separate physical or virtual interfaces specifically designed for DMZ connectivity. Connect the DMZ servers to the DMZ interface of the firewall.

Create a separate security zone on the firewall for the DMZ. Assign the DMZ interface to this zone and apply the appropriate security policies to control the traffic flow.

Control access between the DMZ and internal network by configuring firewall rules. Allow only necessary communication between the two zones based on your security requirements.

--- configuration can vary based on the specific firewall and network infrastructure you are using.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World · ‎06-14-2023

There is no rule for which IP you use' BUT

There is trick in NATing

For inside host need to reach dmz server you need hairpin NATing

For outside host need to reach dmz server you need static NATing

That it

Joseph W. Doherty · ‎06-14-2023

Like the other posters, don't believe there's a best practice for DMZ host IP usage, although most common would likely be usage of public IPs.

As to FW port going to a DMZ segment, what's "special" about that port is its ruleset is usually different from the other FW port rulesets. In general, that port's ruleset is tailored for needs, which is what also determines rulesets for your other FW ports. As FW port needs can differ, so often will port rulesets differ.

BTW, within a DMZ segment, something like a PVLAN might be used.

An example of a possible FW ruleset, for a mail server within the DMZ, from the outside any other host might be able to use SMTP to/from it, but no other protocol access. From inside, IMAP might be allowed to pull mail and SMTP to push mail, and, perhaps, some form of remote management access from specific hosts/subnets, etc.