← Patterns / SP-016

DMZ Module

The DMZ (Demilitarized Zone) is the foundational network security architecture pattern for any organisation that exposes services to untrusted networks. It creates a controlled buffer zone between the trusted internal network and the hostile internet, ensuring that no direct communication path exists between external attackers and internal systems. Every inbound connection terminates in the DMZ, where it is inspected, validated, and proxied before any interaction with internal resources occurs. The classic DMZ architecture uses a multi-tier firewall topology. An external firewall faces the internet and permits only specific, tightly scoped traffic into the DMZ segment. An internal firewall separates the DMZ from the trusted network and enforces even more restrictive rules -- typically allowing only specific application-layer connections initiated by DMZ services toward defined internal targets. The critical design principle is that there must be absolutely no direct traffic path from the internet to the internal network. All traffic must be broken, inspected, and re-originated at the DMZ tier. Within the DMZ, bastion hosts serve as hardened intermediary systems. These include web application frontends (reverse proxies, load balancers), mail relay servers, DNS resolvers, VPN concentrators, and content inspection services (antivirus scanning, web application firewalls). Each bastion host runs a minimal, hardened operating system configuration with only the services strictly required for its function. Attack surface reduction through least functionality is paramount -- every unnecessary service, port, protocol, and software package increases the risk of compromise. Modern DMZ architectures must also account for encrypted traffic inspection. As TLS adoption has become near-universal, the ability to inspect traffic content for malicious payloads requires TLS termination or interception at the DMZ boundary. This introduces its own security considerations around certificate management, key protection, and the privacy implications of decrypting user traffic. Organisations must balance the security benefit of content inspection against regulatory and privacy constraints. Comprehensive audit logging and monitoring are essential for DMZ operations. The DMZ is the most attacked segment of any network, and the ability to detect, investigate, and respond to incidents depends entirely on the quality and completeness of audit data. Every connection, every authentication attempt, every firewall rule hit, and every IDS/IPS alert must be logged, timestamped, and forwarded to a secure, centralised logging infrastructure that resides outside the DMZ itself.
Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-06
Assess
ATT&CK This pattern addresses 463 techniques across 13 tactics View on ATT&CK Matrix →
image/svg+xml Actor: Security Operations Default rule: DENY ALLEnable specific portand IP addresses/rangesStateful inspection ExternalFirewall AC-01 Access ControlPolicies and Proced.. AC-02 Account Management AC-03 Access Enforcement AC-04 Information FlowEnforcement AC-05 Separation Of Duties AC-06 Least Privilege AC-07 Unsuccessful LoginAttempts AC-08 System UseNotification AC-09 Previous LogonNotification AC-10 Concurrent SessionControl AC-11 Session Lock AC-12 Session Termination AC-13 Supervision AndReview -- Access Co.. AC-14 Permitted ActionsWithout Identificat.. AC-15 Automated Marking AC-16 Automated Labeling AC-17 Remote Access AC-18 Wireless AccessRestrictions AC-19 Access Control ForPortable And Mobile.. AC-20 Use Of ExternalInformation Systems AT-01 Security AwarenessAnd Training Policy.. AT-02 Security Awareness AT-03 Security Training AT-04 Security TrainingRecords AT-05 Contacts WithSecurity Groups And.. AU-01 Audit AndAccountability Poli.. AU-02 Auditable Events AU-03 Content Of AuditRecords AU-04 Audit StorageCapacity AU-05 Response To AuditProcessing Failures AU-06 Audit Monitoring,Analysis, And Repor.. AU-07 Audit Reduction AndReport Generation AU-08 Time Stamps AU-09 Protection Of AuditInformation AU-10 Non-Repudiation AU-11 Audit RecordRetention CA-01 Certification,Accreditation, And .. CA-02 Security Assessments CA-03 Information SystemConnections CA-04 SecurityCertification CA-05 Plan Of Action AndMilestones CA-06 SecurityAccreditation CA-07 ContinuousMonitoring CM-01 ConfigurationManagement Policy A.. CM-02 BaselineConfiguration CM-03 ConfigurationChange Control CM-04 MonitoringConfiguration Chang.. CM-05 Access RestrictionsFor Change CM-06 ConfigurationSettings CM-07 Least Functionality CM-08 Information SystemComponent Inventory CP-01 ContingencyPlanning Policy And.. CP-02 Contingency Plan CP-03 Contingency Training CP-04 Contingency PlanTesting And Exercis.. CP-05 Contingency PlanUpdate CP-06 Alternate StorageSite CP-07 AlternateProcessing Site CP-08 TelecommunicationsServices CP-09 Information SystemBackup CP-10 Information SystemRecovery And Recons.. IA-01 Identification AndAuthentication Poli.. IA-02 User IdentificationAnd Authentication IA-03 DeviceIdentification And .. IA-04 IdentifierManagement IA-05 AuthenticatorManagement IA-06 AuthenticatorFeedback IA-07 CryptographicModule Authenticati.. IR-01 Incident ResponsePolicy And Procedur.. IR-02 Incident ResponseTraining IR-03 Incident ResponseTesting And Exercis.. IR-04 Incident Handling IR-05 Incident Monitoring IR-06 Incident Reporting IR-07 Incident ResponseAssistance MA-01 System MaintenancePolicy And Procedur.. MA-02 ControlledMaintenance MA-03 Maintenance Tools MA-04 Remote Maintenance MA-05 MaintenancePersonnel MA-06 Timely Maintenance MP-01 Media ProtectionPolicy And Procedur.. MP-02 Media Access MP-03 Media Labeling MP-04 Media Storage MP-05 Media Transport MP-06 Media SanitizationAnd Disposal PE-01 Physical AndEnvironmental Prote.. PE-02 Physical AccessAuthorizations PE-03 Physical AccessControl PE-04 Access Control ForTransmission Medium PE-05 Access Control ForDisplay Medium PE-06 Monitoring PhysicalAccess PE-07 Visitor Control PE-08 Access Records PE-09 Power Equipment AndPower Cabling PE-10 Emergency Shutoff PE-11 Emergency Power PE-12 Emergency Lighting PE-13 Fire Protection PE-14 Temperature AndHumidity Controls PE-15 Water DamageProtection PE-16 Delivery And Removal PE-17 Alternate Work Site PE-18 Location OfInformation System .. PE-19 Information Leakage PL-01 Security PlanningPolicy And Procedur.. PL-02 System Security Plan PL-03 System SecurityPlan Update PL-04 Rules Of Behavior PL-05 Privacy ImpactAssessment PL-06 Security-RelatedActivity Planning PS-01 Personnel SecurityPolicy And Procedur.. PS-02 PositionCategorization PS-03 Personnel Screening PS-04 PersonnelTermination PS-05 Personnel Transfer PS-06 Access Agreements PS-07 Third-PartyPersonnel Security PS-08 Personnel Sanctions RA-01 Risk AssessmentPolicy And Procedur.. RA-02 SecurityCategorization RA-03 Risk Assessment RA-04 Risk AssessmentUpdate RA-05 VulnerabilityScanning SA-01 System And ServicesAcquisition Policy .. SA-02 Allocation OfResources SA-03 Life Cycle Support SA-04 Acquisitions SA-05 Information SystemDocumentation SA-06 Software UsageRestrictions SA-07 User InstalledSoftware SA-08 SecurityEngineering Princip.. SA-09 ExternalInformation System .. SA-10 DeveloperConfiguration Manag.. SA-11 Developer SecurityTesting SC-01 System AndCommunications Prot.. SC-02 ApplicationPartitioning SC-03 Security FunctionIsolation SC-04 Information Remnance SC-05 Denial Of ServiceProtection SC-06 Resource Priority SC-07 Boundary Protection SC-08 TransmissionIntegrity SC-09 TransmissionConfidentiality SC-10 Network Disconnect SC-11 Trusted Path SC-12 Cryptographic KeyEstablishment And M.. SC-13 Use Of Cryptography SC-14 Public AccessProtections SC-15 CollaborativeComputing SC-16 Transmission OfSecurity Parameters SC-17 Public KeyInfrastructure Cert.. SC-18 Mobile Code SC-19 Voice Over InternetProtocol SC-20 Secure Name /Address Resolution .. SC-21 Secure Name /Address Resolution .. SC-22 Architecture AndProvisioning For Na.. SC-23 Session Authenticity SI-01 System AndInformation Integri.. SI-02 Flaw Remediation SI-03 Malicious CodeProtection SI-04 Information SystemMonitoring Tools An.. SI-05 Security Alerts AndAdvisories SI-06 SecurityFunctionality Verif.. SI-07 Software AndInformation Integri.. SI-08 Spam Protection SI-09 Information InputRestrictions SI-10 InformationAccuracy, Completen.. SI-11 Error Handling SI-12 Information OutputHandling And Retent.. OSA is licensed according to Creative Commons Share-alike.Please see:http://www.opensecurityarchitecture.org/about/license-terms. Default rule: DENY ALLEnable specific portand IP addresses.Stateful inspection andDOS protection Load balance/Highavailability InternalFirewall DNS IDS/IPS BastionHost Trusted networke.g. CorpNet Untrusted public networke.g. Internet Proxy/Gateway/Web-minimal services-hardened configuration-management/monitoringby seperate networkinterfaces/VLAN InternalServices ExternalServices Configuration ofenvironmentMonitoring and responseto emerging threats

Click any control badge to view its details. Download SVG

Key Control Areas

  • Information Flow and Access Control (AC-04, AC-06, AC-07, AC-12): These controls define what traffic can traverse the DMZ and how sessions are managed. Information flow enforcement (AC-04) is the most critical control for this pattern -- it governs the firewall rulesets that determine which traffic is permitted between network zones. Rules must be default-deny, permitting only explicitly authorised flows. Least privilege (AC-06) applies to both administrative access to DMZ systems and to the services exposed through them -- each system should run with minimum required permissions. Unsuccessful login attempts (AC-07) must trigger lockout and alerting on all DMZ-facing authentication services to resist brute-force attacks. Session termination (AC-12) ensures idle sessions are closed to prevent session hijacking and resource exhaustion. Implementation guidance: maintain a documented network flow matrix, review firewall rules quarterly, and automate rule validation against the approved flow policy.
  • Comprehensive Audit and Logging (AU-02, AU-03, AU-04, AU-05, AU-06, AU-07, AU-08, AU-09, AU-10, AU-11): The DMZ generates the highest volume and most security-critical audit data in the network. Auditable events (AU-02) must include all connection attempts (successful and failed), authentication events, firewall rule matches, IDS/IPS alerts, and administrative actions. Content of audit records (AU-03) must capture source/destination addresses, ports, protocols, timestamps, user identifiers, and action taken. Audit storage capacity (AU-04) must be sized for the high volume of DMZ traffic -- capacity exhaustion that stops logging is a critical vulnerability. Response to audit processing failures (AU-05) must ensure that logging failures generate immediate alerts and that systems fail securely rather than continuing to operate without audit. Audit monitoring and analysis (AU-06) and report generation (AU-07) enable real-time and forensic investigation of DMZ security events. Timestamps (AU-08) must be synchronised via NTP to enable correlation across systems. Protection of audit information (AU-09) requires that logs be forwarded to a secured collection point outside the DMZ where they cannot be tampered with by an attacker who compromises a DMZ host. Non-repudiation (AU-10) and audit record retention (AU-11) support forensic investigation and regulatory compliance.
  • System Hardening and Vulnerability Management (CM-07, RA-05, SI-07): DMZ systems are the most exposed in the network and must be hardened aggressively. Least functionality (CM-07) mandates that each DMZ host runs only the software and services strictly required for its function -- no development tools, no unnecessary network services, no default accounts, no sample applications. Vulnerability scanning (RA-05) must be performed frequently against DMZ systems (weekly or continuous), as they are the first targets for exploit attempts. Newly disclosed vulnerabilities in DMZ-facing services require expedited patching, often within hours rather than the standard patch cycle. Software and information integrity (SI-07) ensures that DMZ systems can detect unauthorised modifications to executables, configuration files, and critical data -- file integrity monitoring is essential on all DMZ hosts.
  • Malicious Content and Intrusion Detection (SI-03, SI-04, SI-08, SI-06): The DMZ is where malicious content entering the network should be detected and blocked. Malicious code protection (SI-03) requires antivirus and anti-malware scanning on all DMZ services that handle file transfers, email, or web content. Information system monitoring (SI-04) includes network-based intrusion detection/prevention systems (IDS/IPS) deployed at strategic points: between the internet and the DMZ, and between the DMZ and the internal network. This layered placement enables detection of both external attack attempts and lateral movement from compromised DMZ hosts. Spam protection (SI-08) is implemented on DMZ mail relay services. Security functionality verification (SI-06) provides ongoing assurance that security controls on DMZ systems are operating as intended -- automated health checks should verify firewall states, IDS signatures, and antivirus definitions regularly.
  • DNS Security (SC-20, SC-21, SC-22): DNS is a critical service in the DMZ and a frequent attack target. Authoritative DNS services (SC-20) exposed in the DMZ must be hardened, rate-limited, and protected against zone transfer attacks, DNS amplification, and cache poisoning. Recursive resolvers (SC-21) used by DMZ hosts for outbound resolution must validate responses (DNSSEC) and be isolated from authoritative services. Architecture and provisioning for DNS (SC-22) requires split-horizon DNS where external-facing and internal DNS namespaces are separated, preventing information disclosure about internal network topology. DNS logs should feed into the SIEM for detection of DNS tunnelling and command-and-control communication.
  • Network Resilience and Session Security (SC-05, SC-10, SC-23, CA-03): The DMZ must withstand denial-of-service attacks and maintain session integrity. DoS protection (SC-05) requires rate limiting, SYN flood protection, and ideally upstream DDoS mitigation services for internet-facing services. Network disconnect (SC-10) ensures sessions that exceed time limits or exhibit anomalous behaviour are terminated. Session authenticity (SC-23) protects against session hijacking and replay attacks on DMZ-hosted web applications and VPN services. Information system connections (CA-03) documents and authorises all connections between the DMZ and other network segments, ensuring every flow is known, approved, and monitored.
  • Security Assessment and Remediation (CA-04, CA-05, SI-05): DMZ security posture must be continuously assessed and improved. Security certification (CA-04) provides formal evaluation of DMZ architecture and configuration against security requirements before deployment and after significant changes. Plan of action and milestones (CA-05) tracks identified weaknesses and remediation timelines -- DMZ findings should receive accelerated remediation priority. Security alerts and advisories (SI-05) ensure the operations team receives and acts on vendor security advisories, CERT notifications, and threat intelligence relevant to DMZ technologies. Organisations should subscribe to advisory feeds for every technology deployed in the DMZ.

When to Use

Any organisation with a secure computing environment that connects to untrusted networks. Organisations hosting internet-facing services (web applications, email, VPN, APIs). Environments requiring regulatory compliance that mandates network segmentation (PCI DSS, SWIFT CSP). Organisations with multiple security zones requiring controlled traffic flow between trust levels. Any environment where internal systems must be protected from direct exposure to internet-sourced threats.

When NOT to Use

Single-user environments such as home users without server infrastructure. Very small organisations that consume only cloud-hosted SaaS services and have no on-premises servers or internet-facing infrastructure. Environments that have fully adopted zero-trust network access models where traditional perimeter-based DMZ concepts are replaced by identity-based micro-segmentation -- though even in these cases, the underlying principles of traffic inspection and zone separation remain relevant.

Typical Challenges

Skilled firewall administrators are essential to ensure that firewall rules do not contain errors that create security holes -- rule complexity grows over time and accumulated legacy rules are a common source of vulnerabilities. Skilled security and server engineers are needed to implement and maintain hardened builds for gateway and bastion host systems. Remodelling an existing flat or poorly segmented environment into a proper DMZ architecture is significantly more difficult than building from scratch. The recommended approach for remodelling is: first, isolate in the DMZ those services with an intermediate role (web frontends, antivirus servers, content inspection servers, SSL VPN portals, captive portals); second, plan traffic rules on the firewall layer to route only a very restricted set of services, especially concerning traffic from the DMZ to the internal network and from the internet to the DMZ, ensuring absolutely no direct traffic from the internal network to the internet; third, optionally add intrusion prevention systems at two strategic points -- in front of server networks for defence in depth and data isolation, and between the internal network and DMZ to contain propagation of worms and fast-spreading zero-day attacks. Managing encrypted traffic inspection at scale introduces certificate management complexity and privacy considerations. Cloud and hybrid architectures complicate traditional DMZ models, requiring adaptation of the pattern to virtual network constructs, cloud-native firewalls, and zero-trust network access approaches.

Threat Resistance

Denial-of-service attacks targeting internet-facing services, including volumetric DDoS, application-layer floods, and protocol exploitation. Network-based attacks including port scanning, service enumeration, and exploitation of vulnerabilities in exposed services. Web application attacks such as SQL injection, cross-site scripting, and remote code execution targeting DMZ-hosted applications. Lateral movement from compromised DMZ hosts into the internal network. DNS-based attacks including cache poisoning, DNS tunnelling for command-and-control, and DNS amplification attacks. Malware delivery through web traffic, email attachments, or file transfer services hosted in the DMZ. Session hijacking and man-in-the-middle attacks against DMZ-hosted services. Brute-force and credential-stuffing attacks against authentication services exposed through the DMZ. Unauthorised network access through misconfigured firewall rules or undocumented network flows.

Assumptions

The organisation operates a network environment that connects to one or more untrusted networks, typically the internet. A multi-tier firewall architecture is available or planned, with physically or logically separate firewall instances for the external and internal DMZ boundaries. Encryption should be used for sensitive traffic; it may be necessary to break the session at the gateway (bastion host) to inspect traffic depending on content monitoring requirements. Skilled firewall administrators and security engineers are available to implement and maintain the hardened configuration. The organisation has or will establish a centralised logging and monitoring capability to consume DMZ audit data. Network segmentation principles are understood and supported by the network infrastructure.

Developing Areas

  • The relevance of traditional DMZ architecture in cloud-first organisations is being actively debated. As workloads move to cloud providers where the perimeter is the identity layer rather than a network boundary, the classic two-firewall DMZ with bastion hosts is becoming an on-premises artefact. Cloud equivalents (public subnets with ALBs, API gateways, cloud WAFs) serve the same function but use fundamentally different implementation patterns. Organisations operating hybrid estates must maintain both traditional and cloud DMZ architectures with different tooling, skills, and operational processes -- a duplication that increases complexity and cost.
  • API gateways are emerging as the modern equivalent of DMZ bastion hosts, providing the inspection, authentication, and rate-limiting functions that reverse proxies and WAFs traditionally performed. However, API gateways operate at Layer 7 with richer protocol understanding (GraphQL, gRPC, WebSocket) and deeper integration with identity providers and developer platforms. The transition from network-centric DMZ thinking to API-centric boundary protection requires architectural mindset shifts that many network security teams have not yet made, and the skills required to configure API gateway security policies differ significantly from traditional firewall administration.
  • Micro-segmentation is challenging the zone-based model that DMZs represent. Rather than routing all traffic through defined network zones separated by firewalls, micro-segmentation applies per-workload policies that follow the application regardless of network location. In this model, the DMZ concept dissolves into granular identity-based policies applied at every workload. The practical reality is that most organisations are years away from comprehensive micro-segmentation and continue to rely on zone-based architectures, but the architectural direction suggests that the DMZ as a distinct network segment may eventually be superseded by distributed enforcement points.
  • East-west inspection scaling is an emerging challenge as organisations recognise that the majority of malicious traffic in modern breaches moves laterally within the network rather than crossing the traditional DMZ boundary. Deploying IDS/IPS and content inspection at the volume and speed required for internal traffic between application tiers, databases, and management systems demands purpose-built hardware or distributed software sensors that most DMZ architectures were never designed to accommodate. Vendors are responding with distributed inspection platforms, but the cost and performance implications of inspecting all internal traffic remain significant constraints.
AC: 4AU: 10CA: 3CM: 1RA: 1SC: 6SI: 6
AC-04 Information Flow Enforcement
AC-06 Least Privilege
AC-07 Unsuccessful Login Attempts
AC-12 Session Termination
AU-02 Auditable Events
AU-03 Content Of Audit Records
AU-04 Audit Storage Capacity
AU-05 Response To Audit Processing Failures
AU-06 Audit Monitoring, Analysis, And Reporting
AU-07 Audit Reduction And Report Generation
AU-08 Time Stamps
AU-09 Protection Of Audit Information
AU-10 Non-Repudiation
AU-11 Audit Record Retention
CA-03 Information System Connections
CA-04 Security Certification
CA-05 Plan Of Action And Milestones
CM-07 Least Functionality
RA-05 Vulnerability Scanning
SC-05 Denial Of Service Protection
SC-10 Network Disconnect
SC-20 Secure Name / Address Resolution Service (Authoritative Source)
SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
SC-22 Architecture And Provisioning For Name / Address Resolution Service
SC-23 Session Authenticity
SI-03 Malicious Code Protection
SI-04 Information System Monitoring Tools And Techniques
SI-05 Security Alerts And Advisories
SI-06 Security Functionality Verification
SI-07 Software And Information Integrity
SI-08 Spam Protection