DMZ (networking)

In computer networks, a DMZ (demilitarized zone), also sometimes known as a perimeter network or a screened subnetwork, is a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks -- usually the public internet. External-facing servers, resources and services are located in the DMZ. Therefore, they are accessible from the internet, but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts a hacker's ability to directly access internal servers and data through the internet.

Any service provided to users on the public internet should be placed in the DMZ network. Some of the most common of these services include web servers and proxy servers, as well as servers for email, domain name system (DNS), File Transfer Protocol (FTP) and voice over IP (VoIP).

Hackers and cybercriminals around the world can reach the systems running these services on DMZ servers, which need to be hardened to withstand constant attack. The term DMZ comes from the geographic buffer zone that was set up between North Korea and South Korea at the end of the Korean War.

Architecture of network DMZs

There are various ways to design a network with a DMZ. The two basic methods are to use either one or two firewalls, though most modern DMZs are designed with two firewalls. This basic approach can be expanded on to create more complex architectures.

A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed by connecting the public internet -- via internet service provider (ISP) connection -- to the firewall on the first network interface. The internal network is formed from the second network interface and the DMZ network itself is connected to the third network interface.

DMZ network diagram
How a network DMZ works

Different sets of firewall rules for monitoring traffic between the internet and the DMZ, the LAN and the DMZ, and the LAN and the internet tightly control which ports and types of traffic are allowed into the DMZ from the internet, limit connectivity to specific hosts in the internal network and prevent unrequested connections either to the internet or the internal LAN from the DMZ.

The more secure approach to creating a DMZ network is a dual-firewall configuration, in which two firewalls are deployed with the DMZ network positioned between them. The first firewall -- also called the perimeter firewall -- is configured to allow external traffic destined to the DMZ only. The second, or internal, firewall only allows traffic from the DMZ to the internal network. This is considered more secure because two devices must be compromised before an attacker can access the internal LAN.

Security controls can be tuned specifically for each network segment. For example, a network intrusion detection and prevention system located in a DMZ could be configured to block all traffic except HTTPS requests to TCP port 443.

How DMZs work

DMZs are intended to function as a sort of buffer zone between the public internet and the private network. Deploying the DMZ between two firewalls means that all inbound network packets are screened using a firewall or other security appliance before they arrive at the servers the organization hosts in the DMZ. 

If a better-prepared threat actor passes through the first firewall, they must then gain unauthorized access to those services before they can do any damage, and those systems are likely to be hardened against such attacks.

Finally, assuming that a well-resourced threat actor is able to breach the external firewall and take over a system hosted in the DMZ, they must still break through the internal firewall before they can reach sensitive enterprise resources. While a determined attacker can breach even the best-secured DMZ architecture, a DMZ under attack should set off alarms, giving security professionals enough warning to avert a full breach of their organization.

Benefits of DMZs

The primary benefit of a DMZ is that it offers users from the public internet access to certain secure services while still maintaining a buffer between those users and the private internal network. The security benefits of this buffer manifest in several ways, including:

Access Control for Organizations. Organizations can provide user access to services situated outside of their network perimeters through the public internet. A DMZ network provides access to these necessary services while simultaneously introducing a level of network segmentation that increases the number of obstacles an unauthorized user must bypass before they can gain access to an organization's private network. In some cases, a DMZ includes a proxy server, which centralizes the flow of internal -- usually employee -- internet traffic and makes recording and monitoring that traffic simpler.

Prevent attackers from performing network reconnaissance. A DMZ, because it acts as a buffer, prevents an attacker from being able to scope out potential targets within the network. Even if a system within the DMZ is compromised, the private network is still protected by the internal firewall separating it from the DMZ. It also makes external reconnaissance more difficult for the same reason. Although the servers in the DMZ are publicly exposed, they are backed by another layer of protection. The public face of the DMZ keeps attackers from seeing the contents of the internal private network. If attackers do manage to compromise the servers within the DMZ, they are still isolated from the private network by the DMZ’s internal barrier.

Protection against IP spoofing. In some cases, attackers attempt to bypass access control restrictions by spoofing an authorized IP address to impersonate another device on the network. A DMZ can stall potential IP spoofers while another service on the network verifies the IP address's legitimacy by testing whether it is reachable.

In each case, the DMZ provides a level of network segmentation that creates a space where traffic can be organized, and public services can be accessed at a safe distance from the private network.

What DMZs are used for

DMZ networks have been an important part of enterprise network security for almost as long as firewalls have been in use and, in large part, are deployed for similar reasons: to protect sensitive organizational systems and resources. DMZ networks can be used to isolate and keep potential target systems separate from internal networks, as well as reduce and control access to those systems outside the organization. Using a DMZ has long been the approach for hosting corporate resources to make at least some of them available to authorized external users.

More recently, enterprises have opted to use virtual machines (VMs) or containers to isolate parts of the network or specific applications from the rest of the corporate environment. Cloud technologies have largely removed the need for many organizations to have in-house web servers. Many of the external facing infrastructure once located in the enterprise DMZ has now migrated to the cloud, such as software-as-a service (SaaS) apps. 

Examples of DMZs

Some cloud services, such as Microsoft Azure, implement a hybrid security approach in which a DMZ is implemented between an organization's on-premises network and the virtual network. This hybrid approach is typically used in situations where the organization's applications run partly on-premises and partly on the virtual network. It's also used in situations where outgoing traffic needs to be audited, or where granular traffic control is required in between the virtual network and the on-premises data center.

A DMZ can also be useful in a home network in which computers and other devices are connected to the internet using a broadband router and configured into a local area network. Some home routers include a DMZ host feature, which can be contrasted against the DMZ sub-network more commonly implemented in organizations with many more devices than would be found in a home. The DMZ host feature designates one device on the home network to function outside of the firewall where it acts as the DMZ while the rest of the home network lies inside the firewall. In some cases, a gaming console is chosen to be the DMZ host so that the firewall doesn't interfere with gaming. Also, the console is a good candidate for a DMZ host because it likely holds less sensitive information than a PC.

Aside from selective use in the home and in the cloud, DMZ's provide a potential solution to the security risks posed by the increasing convergence of IT and OT (operational technology). Industrial equipment such as turbine engines or industrial control systems are being merged with IT technologies, which makes production environments smarter and more efficient, but also creates a larger threat surface. Much of the OT equipment connecting to the internet is not designed to handle attacks in the same way IT devices are.

Compromised OT is potentially more dangerous than an IT breach as well. OT breaches can lead to a breakdown of critical infrastructure, a lapse in valuable production time, and can even threaten human safety, whereas an IT breach results in compromised information. IT infrastructure can also typically recover from cyberattacks with a simple backup, unlike OT infrastructure, which often has no way of recovering lost production time or physical damage.

For example, in 2016 a U.S.-based power company was attacked by ransomware that affected its OT devices and kept many of its customers from receiving power. The company did not have an established DMZ between its IT and OT devices, and its OT devices were not well equipped to handle the ransomware once it reached them. This breach deeply affected the power company's infrastructure and multitudes of customers relying on their service.

A DMZ would have provided increased network segmentation (both within the OT network itself and between the OT and IT networks) and could have potentially curbed the spillover damage that the ransomware caused to the industrial environment.

This was last updated in November 2019

Continue Reading About DMZ (networking)

Dig Deeper on Network Access Control technologies