Which configuration is typically used to secure a demilitarized zone (DMZ) by placing firewalls on both the external and internal sides?

The configuration that typically secures a demilitarized zone (DMZ) by placing firewalls on both the external and internal sides is the screened subnet. This architecture involves using a firewall to filter incoming and outgoing traffic to and from the DMZ, as well as a second firewall that separates the DMZ from the internal network.

The primary purpose of a DMZ is to add an additional layer of security to an organization’s internal network by isolated public-facing services, reducing the risk of an attacker gaining direct access to the internal network. By employing firewalls on both sides of the DMZ—one controlling access from the outside world and another that protects the internal network from potentially compromised resources within the DMZ—organizations can better monitor and control traffic flows and enforce security policies.

Additionally, this configuration allows for detailed logging and inspection of traffic as it passes through the firewalls, enhancing overall security posture and threat detection capabilities. By utilizing this architecture, organizations can effectively manage risk associated with hosting services that require exposure to the Internet without exposing their entire internal infrastructure.