I am trying to convince my comrades that we should put anything that provides a service to outside users or anything with an open port accessible to the outside, to be put in our DMZ instead of on the 'Inside' interface of the firewall.
Is there a standard rule about determining what devices should go into a DMZ vs. Inside network?
I mean if it has a NAT'd address from the outside to the inside, does it make sense to dump it into the DMZ?
Sorry, should have been more specific.
If the device is open for connections from the Internet, especially if the source IP's from the Internet cannot be locked down then they should be on a DMZ.
The thinking behind this is that there are always bugs in software. If an attacker gained access to the server then if it was on your inside network he then has free access to your entire network whereas if it is on a DMZ he has limited access, if any.
It should be noted that firewalling is only one part of the overall solution - IDS/IPS plays a large part too, together with more traditional things such as logging etc.