DMZ checklist

This is a checklist to use when implementing DMZs.
  • Use the external gateway router to bin unknown or unused protocols that are not required in the DMZ. This prevents the firewall processing from being swamped and acts as a second security skin. This traffic is binned using ACLs.
  • Use private addresses in the DMZ and use the firewall to NAT to the external network. On the external gateway router bin all private addresses.
  • Implement an IPS/IDS.
  • Provide server protection – anti virus, anti spyware and anti rootkits.
  • Data should not be stored in the DMZ that accepts incoming connections from the Internet or 3rd parties. A separate VLAN should exist that is traversed by a firewall to backhaul data for processing.
  • Use reverse proxies in the incoming DMZ. This enables a system that has local data to be protected as it can be moved to an internal local network while still protecting the data.
  • Use protected switch ports. Disable unused ports. Use port security to associate a MAC to a port.
  • Aggregate Netflow data from the network devices and review reports daily.
  • Review logs from network devices and servers. Search for an excessive number of failed logins.
  • Force network devices to use an authentication service like Radius or TACACS+.
  • Don’t deploy AD into the DMZs.
  • Implement separate management VLANs for network devices.
  • Don’t terminate incoming connections from the Internet ord 3rd parties on the internal network.
  • Encrypt all data being backhauled from a DMZ.
  • Do not back and restore servers through the firewalls.