DMZ (networking)

Contributor(s): Peter Loshin and Mike Cobb

In computer networks, a DMZ (demilitarized zone), also sometimes known as a perimeter network or a screened subnetwork, is a physical or logical subnet that separates an internal local area network (LAN) from other untrusted networks, usually the internet. External-facing servers, resources and services are located in the DMZ. So, they are accessible from the internet, but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the internet.

Any service provided to users on the public internet should be placed in the DMZ network. Some of the most common of these services include web servers and proxy servers, as well as servers for email, domain name system (DNS), File Transfer Protocol (FTP) and voice over IP (VoIP).

The systems running these services in the DMZ are reachable by hackers and cybercriminals around the world and need to be hardened to withstand constant attack. The term DMZ comes from the geographic buffer zone that was set up between North Korea and South Korea at the end of the Korean War.

Architecture of network DMZs

There are various ways to design a network with a DMZ. The two basic methods are to use either one or two firewalls, though most modern DMZs are designed with two firewalls. This basic approach can be expanded on to create complex architectures, depending on the network requirements.

A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed by connecting the public internet -- via internet service provider (ISP) connection -- to the firewall on the first network interface, the internal network is formed from the second network interface and the DMZ network itself is connected to the third network interface.

DMZ network diagram
How a network DMZ works

Different sets of firewall rules for traffic between the internet and the DMZ, the LAN and the DMZ, and the LAN and the internet tightly control which ports and types of traffic are allowed into the DMZ from the internet, limit connectivity to specific hosts in the internal network and prevent unrequested connections either to the internet or the internal LAN from the DMZ.

The more secure approach to creating a DMZ network is the dual-firewall approach, where two firewalls are deployed with the DMZ network positioned between them. The first firewall -- also called the perimeter firewall -- is configured to allow external traffic destined to the DMZ only. The second or internal firewall only allows traffic from the DMZ to the internal network. This is considered more secure since two devices would need to be compromised before an attacker could access the internal LAN.

As a DMZ segments a network, security controls can be tuned specifically for each segment. For example, a network intrusion detection and prevention system located in a DMZ and providing web services could be configured to block all traffic except HTTPS requests to TCP port 443.

How DMZs work

DMZs are intended to function as a sort of buffer zone between the public internet and the organizational network. Deploying the DMZ between two firewalls means that all inbound network packets are screened using a firewall or other security appliance before they arrive at the servers the organization hosts in the DMZ. This should be enough to block the most casual of threat actors.

If a better-prepared threat actor is able to get through the first firewall, they must then gain unauthorized access to those services before they can do any damage, and those systems are likely to be hardened against such attacks.

Finally, assuming that a well-resourced threat actor is able to breach the external firewall and take over a system hosted in the DMZ, they must still break through the internal firewall before they can reach sensitive enterprise resources. While even the best-secured DMZ architecture can be breached by a determined attacker, a DMZ under attack should set off alarms, giving security professionals enough warning to avert a full breach of their organization.

What DMZs are used for

DMZ networks have been an important part of enterprise network security for almost as long as firewalls have been in use and, in large part, for similar reasons firewalls are deployed: to protect sensitive organizational systems and resources.

The primary benefit of using a DMZ network is to provide access to necessary internet services from the public internet in a secure way. DMZ networks can be used to isolate and keep potential target systems separate from internal networks, as well as to reduce and control access to those systems from outside of the organization.

While many sensitive resources can be protected by deploying them inside the organizational network perimeter, as dependence on access to services through the public internet has grown so has the need for organizations to provide those services to users situated outside their perimeters.

Using a DMZ has long been the solution for hosting corporate resources to make at least some of them available to authorized users.

More recently, enterprises have opted to use virtual machines (VMs) or containers to isolate parts of the network or specific applications from the rest of the corporate environment.

This was last updated in June 2018

Continue Reading About DMZ (networking)

Dig Deeper on Network device security: Appliances, firewalls and switches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Taking this approach is a great way to help with compliance, esp. for PCI DSS where you must segment your cardholder data environment.
Do you think DMZs should be used more widely on internal networks to protect sensitive resources such as intellectual property or sales data?
Yes if resources are used by external N/W as well then DMZ will provides an additional level of security.
Hi Margaret, do you have a reference to this article please?
If I have a router with a second WAN port labeled WAN2 DMZ can I say that this port is a direct connection to the internet without fire wall protection?
How does DMZ work in a network?
The DMZ in networking serves as a buffer zone of sorts while also being, itself, a network that is interposed between the enterprise network and the public internet.

The DMZ network sits outside of the organization's network perimeter, on the public side of the organization's firewall -- and there may be a second firewall positioned between the DMZ network and the public internet.

The theory behind using a DMZ network is that there are certain servers that need to be accessible from the public internet. These DMZ servers should be well-secured and contain only publicly accessible data. The idea is that if the DMZ servers or hosts are breached, most of the organization's resources will still be reasonably safe behind the second firewall.

Will DMZ still have sense if web-server is placed in internal network? The structure is the following: internet-firewall1-DMZ-firewall2-webserver-DB server
Good question; short answer: the concept of a network DMZ is becoming less important than it once was.

The DMZ construct comes down from the very early days of firewalls -- and the internet -- when all networks were wired and internet access for large organizations was through T1 lines and the "perimeter" was more easily created and enforced. 

It was simpler then to create a "demilitarized zone" where network traffic could be channeled and filtered, but now the perimeter is dissolved and there are multiple channels through which the internet is accessible.
  1. firewall1        DMZ             firewall2       webserver-DB server
  2.  entreprise_Internet      firewall1        DMZ           firewall2              Public_internet
  3.  IDS        ntreprise_internet      IPS or Firewall1         DMZ       IPS or Firewall2        Public_internet    IDS 
Please can you explain me the good way among the above, how it's necessary and best way of securing the internet as an administrator and the DMZ one?
How one goes about building a network security architecture -- which is what you're asking about here, I think -- depends hugely on the specifics of the organization deploying the network.

Generally, however, a DMZ is used to connect systems that need to be accessible to the public internet as well as to the enterprise network. As such, number 2 in your list is the most accurate depiction of the DMZ network architecture.

The services that need to be accessible both from inside and outside the network would be deployed on the DMZ network. 


File Extensions and File Formats

Powered by: