Is DMZ suppose to be in trust-zone or in untrust-zone?

We're trying to use a DMZ for our servers, but my network guy has setup the DMZ in a trust-zone. But to my understanding, a DMZ should be in untrust-zone and then we should control the traffic between DMZ and the trust zone.

Can you please tell me which one is correct? (Trust zone or untrust zone?)

And if it is in trust zone, why?
SW111Asked:
Who is Participating?
 
blissbearConnect With a Mentor Commented:
Personally I would put the target machine you are using for DMZ in an untrusted zone so it doesn't have access to your LAN.

If you are not dedicating an individual server to the DMZ, I wouldn't bother implimenting it, as the risks to your network are increased.
0
 
blissbearCommented:
DMZ is usually implimented to allow all access to an IP address without any firewall or filtering or translation rules.  Basically anything that accesses your firewall that isn't assigned a translation rule will be forwarded to the DMZ address.  This is useful for monitoring all access to your firewall that isn't normal.
0
 
SW111Author Commented:
Hello. DOesnt exactly answer my question:
1. is it supposed to be in trust zone or untrust zone?
2. if trust zone, why?

I just realized that I might be using a juniper-specific term because I'm using Juniper SSG for my firewall. (But I suspect the concept is all the same).
0
 
SW111Author Commented:
Thanks. It seems logical to me, but my network guy says that juniper manual seems to have other ideas. We do have dedicated servers for servicing customers via internet, which I think should be in the DMZ.
Thanks Again for your help.
0
All Courses

From novice to tech pro — start learning today.