What are good suggestions to secure a DMZ zone?

There are Multiple solutions to secure DMZ.
You Should make sure all servers in DMZ are hardened and only required services are running on those servers.
All Servers should be patched.
DMZ should be protected by Firewall and IPS.

1.     If possible , block unnecessary subnets based on country (like china , Russia ) where lots of attacks came  from these countries (implement standard  ACL on the edge router  for better performance)

 

2.       Use stateful type of firewall to inspects packets deeply as they flow through it, unlike the  stateless firewalls which statically to permit or block network  traffic  simply based on the  its source and/or destination ip address and/or port number without  looking  any deeper into the packet.

 

3.       If your switches support PVLAN  (i.e cisco c3750), go ahead and implement this excellent           layer2 isolation technique within your DMZ network.

 

By this way, your DMZ VLAN will be segmented into3 types of secondary VLANS (Promiscuous, isolated, and community vlans)

Attach your gateway, firewall, IDS , IPS nodes into Promiscuous switch interfaceto permit all traffic to pass through (it acts as a trunk)

Attach your cluster servers into separate community PVLANS ( ie : web cluster1 with DMZ:comm1 , web cluser2 with DMZ:comm2 )

Attach your standalone servers into separate isolated PVLANS (i.e. : ftp server1 with DMZ1:iso3 , ftp server2 with DMZ:iso4) .

 

 

 

4.     On your servers , Install host based intrusion detection systems like OSSEC HIDS (it’s totally free) , install updates and patches regularly

 

I found a new solution that we call it honeypot ...

yes

It is true that we should keep only the essential applications/ services running in DMZ zone.
Over and above make sure that all your systems remains patched always, constant monitoring of network rules..