Perimeter Network ("DMZ")

Perimeter networks are the networks closest to the boundaries of your AS. They're the last of your networks that traffic would traverse on the way to the Internet or the first of your networks that traffic would traverse on the way into your AS.

Reference Champman and Zwicky.

If your network design includes a firewall, your perimeter networks may be a part of it.

Need figure showing location of packet filters and labeled networks.

If so, they may be called "DMZ" (for demilitarized zone) networks. Packet filtering often separates more trusted networks closer to the core of your AS from the DMZ networks at the perimeter. Packet filtering may also separate the Internet from the DMZ. The military metaphor comes from the idea that you'll let untrusted users on the DMZ networks, but they can't "bring guns." For example, packet filtering might allow HTTP from the Internet to reach the DMZ but prohibit telnet, finger, and other protocols that might easily allow an attack on your trusted networks to be launched.

Perimeter networks are generally small LANs connecting border routers with internal routers. If the perimeter network is also a DMZ, servers for requests from the Internet will often connect directly to the DMZ network.

Simpler network designs may not have any networks more trusted than the perimeter network. For example, small ISPs may connect their border routers and all their servers to a single LAN. In this case, the perimeter network is the only network.

This might be a good place for a note.

If you connect to your ISPs via point-to-point serial lines, then these lines are not your perimeter network. They are typically part of your ISP's AS. Similarly, if you hand off at a NAP to an ISP Ethernet, then the ISP's Ethernet is not your perimeter network. You can use this "AS straddling" to your advantage as shown in the section called Telnet to an Interface in Each AS in Chapter 14.

Copyright © 1999-2000 by Robert A. Van Valzah