Provide a region of the system that is separate from both the external users and the internal data and functionality--commonly known as a Demilitarized Zone (DMZ). Restrict access to this region from the outside by means of limiting network traffic flow to certain physical servers. Use the same techniques to limit access from servers in the DMZ to the internal systems.

Architecture implements a DMZ by deploying its dedicated web and application servers on opposite sides of a firewall. The internal firewall will only allow through traffic from the web servers to dedicated locations and ports on the application servers. All other access to internal resources is denied. The web servers and the internal firewall are also defended by a filtering router connected to the outside world.

This pattern usually requires a combination of hardware and software.