Connections between DoD enclaves and the Internet or other public or commercial wide area networks require a demilitarized zone (DMZ).
MAC / CONF
Enclave Boundary Defense
When DoD systems are connected to public networks without the proper DMZ configuration unscrupulous individuals or groups can access sensitive information within an enclave and launch denial of service attacks. The use of a DMZ adds a reasonable layer of protection against external untrusted networks and DoD systems.
1. Components shall identify the need for utilitzing a DMZ. 2. A Firewall device and routing schema shall be employed , i.e.: use of a dual-honed with screened subnet firewall architecture. 3. Refer to DoD or other applicable guidance for proper connection requirements and procedures.
CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
DISA Network Infrastructure STIG, Version 6 Draft, 29 October 2004
DISA Enclave Security STIG, Version 2, Release 1, 01 July 2004
DISA Web Server STIG, Version 5 Draft, 26 July 2004