← Patterns / SP-016

DMZ Module

OpenSecurityArchitecture (OSA) distills the know-how of the security architecture community and provides readily usable patterns for your application. This is a free framework, developed and owned by the community.

Release: 08.02 Authors: Russel and Tobias Updated: 2025-07-05

Your browser does not support SVG. Download the diagram.

Click on controls in the diagram to view details. Download SVG

When to Use

Organisation with secure computing environment that connects to untrusted networks.

When NOT to Use

Single user environment e.g. Home user.

Typical Challenges

Skilled firewall administrators to ensure that firewall rules do not have errors that create holes. Skilled security and server engineers to implement and maintain hardened build for gateways.
Remodel an existing environment rather than building up an environment from scratch. To remodel the following approach is recommended:

  • Isolate in the DMZ those services that have an "intermediate" role, such as web frontends, antivirus-servers, content inspection servers, SSL VPN portals, Captive portals, etc.
  • Plan traffic rules on the firewall layer to route only the a very restricted set of services, especially concerning the traffic from the DMZ to the internal network and from the internet to the DMZ. Make sure, that there is absolutely NO direct traffic from the internal network to the internet
  • Optionally add intrusion prevention systems in mainly two strategic points: in front of server networks, to ensure in depth defense and isolation of the sensitive data. As well as between internal network and DMZ, to contain propagation of worms and fast spreading zero day attacks throughout the network and on the Net.

Threat Resistance

Denial of Service, Network based attacks.

Assumptions

1) Encryption should be used for sensitive traffic, it may be necessary to break the session at the gateway (bastion host) to inspect traffic depending on content monitoring requirements. 2) The internet is a bad place and you need to protect your trusted computing environment from it!

Mapped Controls (31)

AC: 4AU: 10CA: 3CM: 1RA: 1SC: 6SI: 6
  • AC-04 Information Flow Enforcement
  • AC-06 Least Privilege
  • AC-07 Unsuccessful Login Attempts
  • AC-12 Session Termination
  • AU-02 Auditable Events
  • AU-03 Content Of Audit Records
  • AU-04 Audit Storage Capacity
  • AU-05 Response To Audit Processing Failures
  • AU-06 Audit Monitoring, Analysis, And Reporting
  • AU-07 Audit Reduction And Report Generation
  • AU-08 Time Stamps
  • AU-09 Protection Of Audit Information
  • AU-10 Non-Repudiation
  • AU-11 Audit Record Retention
  • CA-03 Information System Connections
  • CA-04 Security Certification
  • CA-05 Plan Of Action And Milestones
  • CM-07 Least Functionality
  • RA-05 Vulnerability Scanning
  • SC-05 Denial Of Service Protection
  • SC-10 Network Disconnect
  • SC-20 Secure Name / Address Resolution Service (Authoritative Source)
  • SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
  • SC-22 Architecture And Provisioning For Name / Address Resolution Service
  • SC-23 Session Authenticity
  • SI-03 Malicious Code Protection
  • SI-04 Information System Monitoring Tools And Techniques
  • SI-05 Security Alerts And Advisories
  • SI-06 Security Functionality Verification
  • SI-07 Software And Information Integrity
  • SI-08 Spam Protection