Controls

Terug naar overzicht
Version

SB.11.005 DMZ

Low
Low
Low
Network Security
Organisation
v2.0 (Q1 2024)

Description

The DMZ (demilitarized zone) is the network location for public-facing services.

Only systems in the DMZ can accept communications initiated from outside the network.

The DMZ is separated from the outside world and the internal network with Firewalls.

Only the public facing component of a service can be in the DMZ, data processing and storage must be in separate parts of the network according to the data classification.

Systems within the DMZ treat other DMZ systems as non-trusted.

Inside services verify requests from DMZ hosts to have the right source and authorisation.

Specification

Use a stateful firewall between the outside world and the DMZ, and between the DMZ and backend services or storage. Configure the DMZ host to only run services it needs for or in support of the public function. Configure the local and network firewalls to minimize exposure of management functions

Management of a DMZ host has to happen via a bastion host, not directly from the outside world.

Connections from DMZ hosts to the inside need appropriate levels of encryption and authentication with a non-personal privileged account.

Specification

ISO

Use a stateful firewall between the outside world and the DMZ, and between the DMZ and backend services or storage. Configure the DMZ host to only run services it needs for or in support of the public function. Configure the local and network firewalls to minimize exposure of management functions

Management of a DMZ host has to happen via a bastion host, not directly from the outside world.

Connections from DMZ hosts to the inside need appropriate levels of encryption and authentication with a non-personal privileged account.

NBA