The DMZ (demilitarized zone) is the network location for public-facing services.
Only systems in the DMZ can accept communications initiated from outside the network.
The DMZ is separated from the outside world and the internal network with Firewalls.
Only the public facing component of a service can be in the DMZ, data processing and storage must be in separate parts of the network according to the data classification.
Systems within the DMZ treat other DMZ systems as non-trusted.
Inside services verify requests from DMZ hosts to have the right source and authorisation.
Specification
Use a stateful firewall between the outside world and the DMZ, and between the DMZ and backend services or storage. Configure the DMZ host to only run services it needs for or in support of the public function. Configure the local and network firewalls to minimize exposure of management functions
Management of a DMZ host has to happen via a bastion host, not directly from the outside world.
Connections from DMZ hosts to the inside need appropriate levels of encryption and authentication with a non-personal privileged account.
ISO 27001 & 27002:2022
A5.8,
A8.14,
A8.20,
A8.21,
A8.22,
A8.31
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.08 Infrastructure resource protection and availability
SM.11 Network security