Overview
Connections between DoD enclaves and the Internet or other public or commercial wide area networks require a demilitarized zone (DMZ).
Threat
When DoD systems are connected to public networks without the proper DMZ configuration unscrupulous individuals or groups can access sensitive information within an enclave and launch denial of service attacks. The use of a DMZ adds a reasonable layer of protection against external untrusted networks and DoD systems.
Guidance
1. Components shall identify the need for utilitzing a DMZ.
2. A Firewall device and routing schema shall be employed , i.e.: use of a dual-honed with screened subnet firewall architecture.
3. Refer to DoD or other applicable guidance for proper connection requirements and procedures.
DoD classifies this control in the subject area of “Enclave Boundary Defense” with a impact of “High”.