Implementing Demilitarised Zones in Gateways
Gateways use demilitarised zones to safely allow outside parties access to organisational services.
Plain language
A Demilitarised Zone (DMZ) in networking is like a buffer area that helps protect an organisation's internal network when dealing with outside parties. Think of it as a way to show outsiders what they need to see without letting them roam around where they're not supposed to be. Without a DMZ, you risk exposing sensitive parts of your network, which can lead to data breaches or unauthorised access.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Gateways implement a demilitarised zone if external parties require access to an organisation's services.
Why it matters
Without a DMZ, internet-facing services can expose internal networks directly, increasing the likelihood of unauthorised access and data breaches.
Operational notes
Review DMZ firewall rules and segmentation regularly, and monitor DMZ logs for suspicious inbound traffic to ensure internet access cannot reach internal networks.
Implementation tips
- IT Team should identify the services that need to be accessed by outside parties. Begin by listing services that must be externally accessible, like email servers or web servers. Ensure they are isolated from sensitive internal systems by placing them in the DMZ.
- System administrators should configure a firewall around the DMZ. Set up firewall rules that limit which internal resources can be accessed from the DMZ and vice versa, allowing only necessary traffic.
- IT Team should regularly update and patch systems in the DMZ. Schedule frequent checks to ensure all applications and systems are up to date to prevent vulnerabilities.
- Security manager should organise training for staff on DMZ usage policies. Explain the importance of the DMZ and how it helps protect core network services, making sure everyone understands the rules about which systems can and cannot be accessed externally.
- The network manager should monitor traffic in and out of the DMZ. Utilise network monitoring tools to track unusual patterns that might indicate a security threat, and create alerts for abnormal behaviour.
Audit / evidence tips
-
Askthe network architecture diagram
Gooddiagram clearly showing isolated DMZ with limited access routes to internal resources
-
Askfirewall configuration files
Goodconfigurations showing restricted access, allowing only the necessary external connections
-
Goodrecords demonstrating consistent patching and updating of systems in the DMZ
-
Askstaff training records on DMZ policies
Gooddocumentation of recent training sessions with attendee signatures and content covered
-
Goodlogs showing active monitoring and a history of threat detection and response
Cross-framework mappings
How ISM-0637 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.22 | ISM-0637 requires gateways to implement a demilitarised zone (DMZ) when external parties need access to an organisation’s services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.