Internal systems hold valuable data and are not exposed directly to the internet, but a DMZ plays a proxy role in between. Just imagine that a DMZ server is compromised and the internal LAN is wide open. In this situation, attackers could find a way into your network.
Let's take a look at the example for setting up a web server in DMZ.
You must set a baseline for what you want to protect and consider scalability, availability, and agility. You have the freedom to choose the number of firewalls for setting up a DMZ, but two firewalls would be a good start. With two firewalls, you can put front-line servers behind a perimeter firewall (DMZ) and internal resources under a different firewall.
You can also have multiple scenarios in this design. I will try to cover those as well. A web server can be configured using a private IP and further natted with public IP for internet readability. However, you can also configure public IP directly on a server. Web servers can be configured with dual NIC , FE NIC and BE NIC. A connection coming from the internet will be terminated on FE NIC, and a new connection will be made to access app and database servers. Since this is a web server, the only rule for port 80 or 443 is required on DMZ firewall. Port 1433 on Tier-1 firewall will allow a connection from web to app and database servers, assuming it is a SQL server.
In this diagram, you can see that a new connection has been made for a web server on port 80 on public IP 2.2.2.2. Once this connection hits the front-line firewall, the NAT rule will translate this connection to the real IP of the web server, which is 10.10.10.1. The decision of whether single or dual interface IPs should be used in order to connect further to database servers will now depend upon the NIC design:
Do I really need dual NIC? This design is also possible when based on single or dual NIC. A dual NIC design is more secure, considering the fact that with a single NIC you might need to adjust the routing, switching, and NAT statement in order to talk between a private IP space. Dual NICs give an extra physical layer of separation to achieve higher security.
Having said that, a DMZ is an important part of your network security architecture.
You need a way to expose services to the internet world, but in a controlled and secure manner. To create a DMZ successfully, a proper understanding of access policies and configuration is required for firewall detection.