DMZ versus Public versus Web
‘Public Facing’, ‘DMZ’ and ‘Web Tier’ are all used interchangeably.
A DMZ, in essence, is a way to ISOLATE your PUBLIC facing assets. These assets DO NOT have to be Websites (public facing web servers). They can be something like an Elastic IP – which is the public face for your webserver.
2 layer Firewall – DMZ
Two firewalls – the first one is between the Internet and your public facing server. The second one is between the Public facing server and your INTERNAL servers (INTRANET). The second firewall would be configured to only allow traffic from the DMZ servers.
Web Server / Web Tier
The Web Tier of your app, even though usually ‘public facing’, should not be part of your DMZ. Think of your DMZ as ‘exposed’ – so an exposed web server could prove to be a vulnerability for your app.
Instead of placing the Web Server in a DMZ, think about putting either an ELB (elastic load balancer) or an elastic IP (EIP) – in front of the web server. This provides you with some additional built-in protection (ELBs) – against certain types of DDoS attacks.
Summary
Using ‘Web’, ‘Public’ and ‘DMZ’ interchangeably, when discussing your network architecture, can lead to confusion. It is important to know the differences – and stick to the correct terminology.
Leave a Reply