<Li> Centralized web content filtering . </Li> <P> A reverse proxy server, like a proxy server, is an intermediary, but is used the other way around . Instead of providing a service to internal users wanting to access an external network, it provides indirect access for an external network (usually the Internet) to internal resources . For example, a back office application access, such as an email system, could be provided to external users (to read emails while outside the company) but the remote user would not have direct access to their email server (only the reverse proxy server can physically access the internal email server). This is an extra layer of security particularly recommended when internal resources need to be accessed from the outside, but it's worth noting this design still allows remote (and potentially malicious) users talk to the internal resources with the help of the proxy . Since the proxy functions as a relay between the non-trusted network and the internal resource: it may also forward malicious traffic (e.g. application level exploits) towards the internal network; therefore the proxy's attack detection and filtering capabilities are crucial in preventing external attackers from exploiting vulnerabilities present in the internal resources that are exposed via the proxy . Usually such a reverse proxy mechanism is provided by using an application layer firewall that focuses on the specific shape and contents of the traffic rather than just controlling access to specific TCP and UDP ports (as a packet filter firewall would do), but a reverse proxy is usually not a good substitute for a well thought out DMZ design as it has to rely on continuous signature updates for updated attack vectors . </P> <P> There are many different ways to design a network with a DMZ . Two of the most basic methods are with a single firewall, also known as the three legged model, and with dual firewalls . These architectures can be expanded to create very complex architectures depending on the network requirements . </P> <P> A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ . The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface . The firewall becomes a single point of failure for the network and must be able to handle all of the traffic going to the DMZ as well as the internal network . The zones are usually marked with colors - for example, purple for LAN, green for DMZ, red for Internet (with often another color used for wireless zones). </P>

Which type of device should you use to create the dmz