DMZ (networking)

In computer networks, a DMZ (demilitarized zone), also sometimes known as a perimeter network or a screened subnetwork, is a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks -- usually the public internet. External-facing servers, resources and services are located in the DMZ. Therefore, they are accessible from the internet, but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts a hacker's ability to directly access internal servers and data through the internet.

Any service provided to users on the public internet should be placed in the DMZ network. Some of the most common of these services include web servers and proxy servers, as well as servers for email, domain name system (DNS), File Transfer Protocol (FTP) and voice over IP (VoIP).

Content Continues Below

Hackers and cybercriminals around the world can reach the systems running these services on DMZ servers, which need to be hardened to withstand constant attack. The term DMZ comes from the geographic buffer zone that was set up between North Korea and South Korea at the end of the Korean War.

Architecture of network DMZs

There are various ways to design a network with a DMZ. The two basic methods are to use either one or two firewalls, though most modern DMZs are designed with two firewalls. This basic approach can be expanded on to create more complex architectures.

A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed by connecting the public internet -- via internet service provider (ISP) connection -- to the firewall on the first network interface. The internal network is formed from the second network interface and the DMZ network itself is connected to the third network interface.

DMZ network diagram
How a network DMZ works

Different sets of firewall rules for monitoring traffic between the internet and the DMZ, the LAN and the DMZ, and the LAN and the internet tightly control which ports and types of traffic are allowed into the DMZ from the internet, limit connectivity to specific hosts in the internal network and prevent unrequested connections either to the internet or the internal LAN from the DMZ.

The more secure approach to creating a DMZ network is a dual-firewall configuration, in which two firewalls are deployed with the DMZ network positioned between them. The first firewall -- also called the perimeter firewall -- is configured to allow external traffic destined to the DMZ only. The second, or internal, firewall only allows traffic from the DMZ to the internal network. This is considered more secure because two devices must be compromised before an attacker can access the internal LAN.

Security controls can be tuned specifically for each network segment. For example, a network intrusion detection and prevention system located in a DMZ could be configured to block all traffic except HTTPS requests to TCP port 443.

How DMZs work

DMZs are intended to function as a sort of buffer zone between the public internet and the private network. Deploying the DMZ between two firewalls means that all inbound network packets are screened using a firewall or other security appliance before they arrive at the servers the organization hosts in the DMZ. 

If a better-prepared threat actor passes through the first firewall, they must then gain unauthorized access to those services before they can do any damage, and those systems are likely to be hardened against such attacks.

Finally, assuming that a well-resourced threat actor is able to breach the external firewall and take over a system hosted in the DMZ, they must still break through the internal firewall before they can reach sensitive enterprise resources. While a determined attacker can breach even the best-secured DMZ architecture, a DMZ under attack should set off alarms, giving security professionals enough warning to avert a full breach of their organization.

Benefits of DMZs

The primary benefit of a DMZ is that it offers users from the public internet access to certain secure services while still maintaining a buffer between those users and the private internal network. The security benefits of this buffer manifest in several ways, including:

Access Control for Organizations. Organizations can provide user access to services situated outside of their network perimeters through the public internet. A DMZ network provides access to these necessary services while simultaneously introducing a level of network segmentation that increases the number of obstacles an unauthorized user must bypass before they can gain access to an organization's private network. In some cases, a DMZ includes a proxy server, which centralizes the flow of internal -- usually employee -- internet traffic and makes recording and monitoring that traffic simpler.

Prevent attackers from performing network reconnaissance. A DMZ, because it acts as a buffer, prevents an attacker from being able to scope out potential targets within the network. Even if a system within the DMZ is compromised, the private network is still protected by the internal firewall separating it from the DMZ. It also makes external reconnaissance more difficult for the same reason. Although the servers in the DMZ are publicly exposed, they are backed by another layer of protection. The public face of the DMZ keeps attackers from seeing the contents of the internal private network. If attackers do manage to compromise the servers within the DMZ, they are still isolated from the private network by the DMZ’s internal barrier.

Protection against IP spoofing. In some cases, attackers attempt to bypass access control restrictions by spoofing an authorized IP address to impersonate another device on the network. A DMZ can stall potential IP spoofers while another service on the network verifies the IP address's legitimacy by testing whether it is reachable.

In each case, the DMZ provides a level of network segmentation that creates a space where traffic can be organized, and public services can be accessed at a safe distance from the private network.

What DMZs are used for

DMZ networks have been an important part of enterprise network security for almost as long as firewalls have been in use and, in large part, are deployed for similar reasons: to protect sensitive organizational systems and resources. DMZ networks can be used to isolate and keep potential target systems separate from internal networks, as well as reduce and control access to those systems outside the organization. Using a DMZ has long been the approach for hosting corporate resources to make at least some of them available to authorized external users.

More recently, enterprises have opted to use virtual machines (VMs) or containers to isolate parts of the network or specific applications from the rest of the corporate environment. Cloud technologies have largely removed the need for many organizations to have in-house web servers. Many of the external facing infrastructure once located in the enterprise DMZ has now migrated to the cloud, such as software-as-a service (SaaS) apps. 

Examples of DMZs

Some cloud services, such as Microsoft Azure, implement a hybrid security approach in which a DMZ is implemented between an organization's on-premises network and the virtual network. This hybrid approach is typically used in situations where the organization's applications run partly on-premises and partly on the virtual network. It's also used in situations where outgoing traffic needs to be audited, or where granular traffic control is required in between the virtual network and the on-premises data center.

A DMZ can also be useful in a home network in which computers and other devices are connected to the internet using a broadband router and configured into a local area network. Some home routers include a DMZ host feature, which can be contrasted against the DMZ sub-network more commonly implemented in organizations with many more devices than would be found in a home. The DMZ host feature designates one device on the home network to function outside of the firewall where it acts as the DMZ while the rest of the home network lies inside the firewall. In some cases, a gaming console is chosen to be the DMZ host so that the firewall doesn't interfere with gaming. Also, the console is a good candidate for a DMZ host because it likely holds less sensitive information than a PC.

Aside from selective use in the home and in the cloud, DMZ's provide a potential solution to the security risks posed by the increasing convergence of IT and OT (operational technology). Industrial equipment such as turbine engines or industrial control systems are being merged with IT technologies, which makes production environments smarter and more efficient, but also creates a larger threat surface. Much of the OT equipment connecting to the internet is not designed to handle attacks in the same way IT devices are.

Compromised OT is potentially more dangerous than an IT breach as well. OT breaches can lead to a breakdown of critical infrastructure, a lapse in valuable production time, and can even threaten human safety, whereas an IT breach results in compromised information. IT infrastructure can also typically recover from cyberattacks with a simple backup, unlike OT infrastructure, which often has no way of recovering lost production time or physical damage.

For example, in 2016 a U.S.-based power company was attacked by ransomware that affected its OT devices and kept many of its customers from receiving power. The company did not have an established DMZ between its IT and OT devices, and its OT devices were not well equipped to handle the ransomware once it reached them. This breach deeply affected the power company's infrastructure and multitudes of customers relying on their service.

A DMZ would have provided increased network segmentation (both within the OT network itself and between the OT and IT networks) and could have potentially curbed the spillover damage that the ransomware caused to the industrial environment.

This was last updated in November 2019

Continue Reading About DMZ (networking)

Dig Deeper on Network Access Control technologies

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Taking this approach is a great way to help with compliance, esp. for PCI DSS where you must segment your cardholder data environment.
Do you think DMZs should be used more widely on internal networks to protect sensitive resources such as intellectual property or sales data?
Yes if resources are used by external N/W as well then DMZ will provides an additional level of security.
Hi Margaret, do you have a reference to this article please?
How important is a network DMZ as enterprises embrace cloud and mobile solutions and enterprise perimeters become increasingly porous?
If I have a router with a second WAN port labeled WAN2 DMZ can I say that this port is a direct connection to the internet without fire wall protection?
How does DMZ work in a network?
The DMZ in networking serves as a buffer zone of sorts while also being, itself, a network that is interposed between the enterprise network and the public internet.

The DMZ network sits outside of the organization's network perimeter, on the public side of the organization's firewall -- and there may be a second firewall positioned between the DMZ network and the public internet.

The theory behind using a DMZ network is that there are certain servers that need to be accessible from the public internet. These DMZ servers should be well-secured and contain only publicly accessible data. The idea is that if the DMZ servers or hosts are breached, most of the organization's resources will still be reasonably safe behind the second firewall.

Will DMZ still have sense if web-server is placed in internal network? The structure is the following: internet-firewall1-DMZ-firewall2-webserver-DB server
Good question; short answer: the concept of a network DMZ is becoming less important than it once was.

The DMZ construct comes down from the very early days of firewalls -- and the internet -- when all networks were wired and internet access for large organizations was through T1 lines and the "perimeter" was more easily created and enforced. 

It was simpler then to create a "demilitarized zone" where network traffic could be channeled and filtered, but now the perimeter is dissolved and there are multiple channels through which the internet is accessible.
  1. firewall1        DMZ             firewall2       webserver-DB server
  2.  entreprise_Internet      firewall1        DMZ           firewall2              Public_internet
  3.  IDS        ntreprise_internet      IPS or Firewall1         DMZ       IPS or Firewall2        Public_internet    IDS 
Please can you explain me the good way among the above, how it's necessary and best way of securing the internet as an administrator and the DMZ one?
How one goes about building a network security architecture -- which is what you're asking about here, I think -- depends hugely on the specifics of the organization deploying the network.

Generally, however, a DMZ is used to connect systems that need to be accessible to the public internet as well as to the enterprise network. As such, number 2 in your list is the most accurate depiction of the DMZ network architecture.

The services that need to be accessible both from inside and outside the network would be deployed on the DMZ network. 
Hi , 

I have a GATEWAT -- where this perform the API management functions. My network team want to host this servers in DMZ, Well i can do it -- the Issue is : How do i need to forward the request to 100's of servers on different port. 

Ex: In my API management -- i have 100 appication api proxies -- these connects to 100 different servers on different port to retrieve the response. 

How do i need to design the system to be compliant with security and still avoid the effort of firewall and longer build time. 

Latheef D


File Extensions and File Formats

Powered by: