Profile picture for user sstein

We all love the Internet, but unfortunately it is also a source of evil. If you are operating a public Internet service such as ARIS Community or a company homepage, one of a network administrator’s greatest fears is that the server gets hacked and opens up the company network to the public. To prevent that, such servers are put into a so called demilitarized zone (DMZ). The DMZ is accessible from the Internet through a firewall, which allows the necessary incoming connections. Typically, a DMZ is used for the following kind of services:

  • public web server
  • public file server (FTP)
  • domain name servers (DNS)
  • web proxy
  • email server

The DMZ is used for all services, which must be accessible from outside. All other services reside in the private network (LAN), which is protected by a firewall. The LAN can comprise additional servers such as web servers, which must be only accessed internally (e.g. Intranet).

A DMZ can be implemented physically or logically. In a physical setup, dedicated machines and connections are used, whereas in a logical setup separation is done on the network management layers.

The attached ARIS Express model visualises a possible DMZ setup. The diagram uses an IT Infrastructure diagram. This diagram provides modelling objects such as networks (e.g. LAN, WAN, DMZ), network devices (e.g. router, switch), hardware, and IT systems (e.g. web server, email server).

by Henry Torrent
Posted on Wed, 10/28/2009 - 13:26

It’s good that you've depicted only public FTP and public WEB services in DMZ, cause, these services are really placed in DMZ. But there are exceptions like MS Exchange Server. A lot of IT specialists build mail service of company with Exchange Servers placed in LAN area. They just open some ports to realize access to mail protocols from WAN (especially from Internet). Today there are a lot of discussions on this theme :) Somehow it’s own decision of each IT specialist.

Sebastian, do you have a wish to represent case when we have VPN connections to corporate network?  I want to see it, it’s very interesting.


by Sebastian Stein Author
Posted on Wed, 10/28/2009 - 14:37

Hi Henry,

you are raising an important point with VPN. A VPN must be accessible for the public. Therefore, the VPN server must be located in the DMZ. I have updated the diagram to reflect this. I used a "network device" for the VPN Server, because today VPN servers are appliances, which you can directly integrate in your network.

In the updated diagram, the VPN is the only way to handle incoming connections to the LAN. Outgoing connections from the LAN do not need to go through the VPN server.

Does that make sense or would you model it in a different way?

by Henry Torrent
Posted on Wed, 10/28/2009 - 16:37

 Your model is very safe model. But, actually, I think, it’s realized in huge companies where prohibited full access to LAN area. But in small companies and in home solutions there is simpler construction…

VPN server is placed inside of LAN area, because it’s used just for unrestricted access to services inside LAN.

Technical realization: in this case we should open and redirect the port 1723 on firewall to forward packets from WAN to VPN Server.

But I have next question to you…

If I want to depict VPN Server on diagram as software solution (not hardware), what kind of rectangle should I take? Is it “IT system”?

DMZ-n-VPN in small companies

by Sebastian Stein Author
Posted on Thu, 10/29/2009 - 10:13

Hi Henry,

there are different ways to model it. If you want to depict your VPN Server as a software solution, you would use IT system. If important, you would put it on a hardware.



by Henry Torrent
Posted on Thu, 10/29/2009 - 11:31

 Ooh, yes, I had same supposition.

Thank you for help and confirmation of my guess.

by Lamine Abdoul-Hamid
Posted on Fri, 10/30/2009 - 09:19


i don't understand why you use a VPN in a LAN, Activating IPSec on your Servers will be enough.



Featured achievement

Say hello to the ARIS Community! Personalize your community experience by following forums or tags, liking a post or uploading a profile picture.
Recent Unlocks
  • SS
  • MZ
  • Profile picture for user kbiront
  • Profile picture for user Tony Iliev
  • Profile picture for user amandeep.7.singh
  • PacMan


icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock