In the former days, pending on many different network layouts or constructions or plain based on many different needs,
late in the 70th and earlier 80th, at SANS USA were defined to have three main types of demilitarized zones (DMZs) and
one separation of one of them. And until theses days "we" will all able to speak about the same thing if we are saying
we have this or that one of DMZ. That makes things much easier and we don´t talk about something on the right site
and all peoples or listeners are looking to left site! So is why I am talking about that in this direction, others may have
also other opinions and knowledge on this and for sure I don´t want to bother with them, but that's how I know it right.
DMZ 1 - A real DMZ (Dual homed or bastion host)
Two routers or firewalls behind each other (router cascade)
DMZ 2 - "Pseudo DMZ"
It is an "exposed host" that lets all traffic unfiltered through
DMZ 3 (a) - Unreal DMZ (One device with a DMZ Port)
One firewall or router with a dedicated port that homes the DMZ subnet, ports can be opened and protocols can be forwarded
DMZ 3 (b) - Unreal DMZ (One device with a own and dedicated hardware DMZ port)
The same as variant (a) but the DMZ port is not connected to the internal switch chip or CPU as the other ports
There will be for sure hundred till thousand other available constructs and possible ways to march, but they can all and even
pointed to one of that three main types of DMZs. So that we are all talking about the same thing!
If I set up a unreal DMZ, I don´t must open all ports and allow all protocols, I need only to open and forward what the servers
inside of the DMZ are offering as a service, nothing more. And this can be inspected by DPI or usually here in that case with an
IDS/IPS system. Also a proxy can be between the servers and the internet that no one has directly contact to that servers to play
with.
A DMZ is a lazy mans method.
And now the master question here, about what kind of DMZ you are talking here in that case?
You are better off creating a secondary secure subnet\interface and controlling the traffic properly with port triggering\forwarding.
If you someone is demanding a bigger security requirement then others perhaps have a firewall with a dedicated DMZ port is the
base line he should walk on.