DMZ (demilitarized zone)

Contributor(s): Mike Cobb

In computer networks, a DMZ (demilitarized zone) is a physical or logical sub-network that separates an internal local area network (LAN) from other untrusted networks, usually the Internet. External-facing servers, resources and services are located in the DMZ so they are accessible from the Internet but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the Internet.

Any service that is being provided to users on the Internet should be placed in the DMZ. The most common of these services are: Web, Mail, DNS, FTP, and VoIP. The systems running these services in the DMZ are reachable by hackers and cybercriminals around the world and need to be hardened to withstand constant attack. The term DMZ comes from the geographic buffer zone that was set up between North Korea and South Korea at the end of the Korean War. A DMZ is now often referred to as a perimeter network.

There are various ways to design a network with a DMZ. The two most common methods are with a single or dual firewalls. These architectures can be expanded to create very complex architectures depending on the network requirements. A single firewall with at least three network interfaces can be used to create a network architecture containing a DMZ. The external network is formed from the ISP to the firewall on the first network interface, the internal network is formed from the second network interface, and the DMZ is formed from the third network interface. Different sets of firewall rules for traffic between the Internet and the DMZ, the LAN and the DMZ, and the LAN and the Internet tightly control which ports and types of traffic are allowed into the DMZ from the Internet, limit connectivity to specific hosts in the internal network, and prevent unrequested connections either to the Internet or the internal LAN from the DMZ.

A more secure approach is to use two firewalls to create a DMZ. The first firewall also called the perimeter firewall is configured to allow traffic destined to the DMZ only. The second or internal firewall only allows traffic from the DMZ to the internal network. This is considered more secure since two devices would need to be compromised before an attacker could access the internal LAN. As a DMZ segments a network, security controls can be tuned specifically for each segment. For example a network intrusion detection and prevention system located in a DMZ that only contains as Web server can block all traffic except HTTP and HTTPS requests on ports 80 and 443.

This was last updated in June 2015 ???publishDate.suggestedBy???

Continue Reading About DMZ (demilitarized zone)



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Taking this approach is a great way to help with compliance, esp. for PCI DSS where you must segment your cardholder data environment.
Do you think DMZs should be used more widely on internal networks to protect sensitive resources such as intellectual property or sales data?
Yes if resources are used by external N/W as well then DMZ will provides an additional level of security.
hi margaret do you have a reference to this article pleaase
Call me rip Vanwinkle.  My lynksys home wifi router recently failed (began to experience web site address failures) and was anticipating a router upgrade.  became dimly aware that ipv6 probably opened large security risks.  scrutiny of the security features of latest civilian routers proved "interesting".   what happened to hardware router firewalls?  Further query exposed DMZs and VPNs.  I am hosting a wifi hot spot whether I like it or not.  Three level nets and dual firewalls in this new addressing context?  nothing with less functionality will suffice!  I am now awake and am not happy.  The train left without me.  I was an IT pro and an engineer; it would appear that net security seems not to be relevant to the wider public.  The naive network user, i.e. everyone,  is being left to crass commercial interests; i.e. being ignored.  when he is awakened, it will not be pretty.
If I have a router with a second WAN port labeled WAN2 DMZ can I say that this port is a direct connection to the internet without fire wall protection?
How does DMZ work in a network?


File Extensions and File Formats

Powered by: