Cisco Support Community
Community Member

Is it a good idea to allow DMZ-to-DMZ communication

Is it a good practice, or is there any problem to allow two Internet DMZ hosts to communicate on a tcp port?

we have internet connections at USA and UK. We have two app servers on USA internet DMZ and UK internet DMZ subnets that need to talk to each other.

Data will look like:

USA DMZ -- USA inside --- internal WAN --- UK inside --- DMZ

what is the downside based on a good security policy?


Re: Is it a good idea to allow DMZ-to-DMZ communication


One of the DMZ's function is to host servers that need to be accessed by outsiders and access normally comes from public network/Internet (via outside interface). This allows you to secure your internal network from being indirectly accessible too, eventhough you mapped internal server to a public IP.

But in your case, link between the 2 sites is via internal WAN, which is not passing the internet. Internal link is considered safer, but you still need to consider/justify why DMZ traffic need to pass through your internal network to reach the other side, if they can go via Internet.

There's nothing wrong with the setup/topology. What you really need is to have appropriate security measures to mitigate potential security threats, i.e viruses/worms passing through, misconfiguration that accidentally open up access to your internal network, escalation of attack from remote DMZ server (if hacked) to your DMZ and so on.

Also, consider how big the data to pass through, sensitivity, congestion or bandwidth size between your internal WAN and link to internet.

On Firewll, I believed you'll have a standard configuration like ACL, NAT and so on (depending on you to enable all possible features).

What you need is to weight the possibility risks, and what do you have to mitigate possible threats, i.e layered security layer model where you have IDS/IPS to inspect traffic exchanged between DMZs, AVirus, CSA installed in both servers, additional ACL in internal WAN router, using secure protocol between DMZ servers.

If both DMZ server(s) is accessible to public, maybe sending the data via internet gives you lesser risks as any tampered data/traffic (if servers compromised) will not pass through your internal network at all.



Community Member

Re: Is it a good idea to allow DMZ-to-DMZ communication

thanks for the input!

CreatePlease to create content