I understand what a DMZ is, I'm just a little fuzzy on how it works.
You can use three NICs coming off of your FW or router. 1. the WAN 2. the LAN 3. DMZ. Or you can sanwich the DMZ between two firewalls with the lan behind the second FW.
But say you have a webserver in the DMZ. That webserver can still reach into the LAN and connect to the database server, load balancer, etc. I see how you gain more control, but I don't see how you gain security. Couldn't you just achieve this with firewall rules / policies?
No comments:
Post a Comment