The Importance of a DMZ
The DMZ prevents computers on the Internet from talking to computers inside the corporate network. Rather, computers on the Internet can only talk to specially locked down computers on the DMZ.
The exception to this rule is remote employees that connect to the corporate network through a VPN gateway.
The Limitations of a DMZ
The servers on the DMZ can be accessed from the Internet, making them more exposed.
Because VPN connections provide direct access, malicious users with the ability to guess someone's password, or create their own VPN account (by compromising a Domain Controller) will have unimpeded access to the internal network.
Vidder's DMZ Recommendations
Vidder strongly recommends using a DMZ for all services accessed from the Internet. Each server on the DMZ should be limited to hosting only one service so that the server can be fully hardened and locked down. In addition, Vidder recommends they be deployed as virtual machines so one physical machine can host multiple services and each can be re-imaged easily, if compromised.
All unnecessary software packages should be removed from these servers, configuration procedures should be put in place to harden them, and host-based firewall rules should be implemented to lock them down (these will be redundant to the physical firewall rules discussed below).
The Internet facing firewall should only open a single port to the IP address of the individual servers that offer a service on that port. All other connections should be denied.
The internal facing firewall should lock down all connections from the Internet to the internal network (except the VPN gateway).